I found the last section super helpful.

I wanted to store a users (paid) subscription status in their user doc but not allow them to change it.

In order to disallow updating of a single field in their own document this is what I settled on:

 match /users/{userId}/{document=**} {
 allow read, delete: if request.auth.uid == userId;
 allow update: if request.auth.uid == userId && 
 request.resource.data.subscription == resource.data.subscription;
 allow create: if request.auth.uid != null;
 }`