diff --git a/firestore.rules b/firestore.rules
index 9e80a14..3dcea20 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -113,12 +113,20 @@ service cloud.firestore {
     }
 
     // Leaderboard collection
+    // The broad allow write clause has been removed. It was evaluated first by
+    // Firestore's OR logic, making the field-restricted allow update below it
+    // completely unreachable, and letting any owner set arbitrary point values.
     match /leaderboard/{userId} {
       allow read: if true;
-      allow write: if (request.auth != null && request.auth.uid == userId) || isSuperAdmin(); // Owner or Super Admin can write
-      allow update: if request.auth != null && request.auth.uid == userId && (
-        (request.resource.data.diff(resource.data).affectedKeys().hasOnly(['points']))
-      );
+
+      // Only a superadmin (backend / Admin SDK) may create or delete entries.
+      allow create, delete: if isSuperAdmin();
+
+      // Owners may only touch the 'points' field. All other leaderboard
+      // mutations must go through the trusted backend.
+      allow update: if request.auth != null
+        && request.auth.uid == userId
+        && request.resource.data.diff(resource.data).affectedKeys().hasOnly(['points']);
     }
 
     // Resources collection