When Google Analytics customers enable the data sharing setting for “Google products & services” (Google Analytics) and accept the "Measurement Controller-Controller Data Protection Terms" (which incorporates the EU User Consent Policy), Google is, for GDPR purposes, a controller of the data that is shared and used under this setting.*
This means Google can access and analyze the Analytics data customers share with us to better understand online behavior and trends, and improve our products and services—for example, to improve Google search results, detect and remove invalid advertising traffic in Google Ads, and test algorithms and build models that power services like Google Analytics Intelligence that apply machine-learning to surface suggestions and insights for customers based on their analytics data and like Google Ads that applies broad models to improve ads personalization and relevance. These capabilities are critical to the value of the products we deliver to customers today.
Note that if you have disabled ads personalization for a given event or user property, including at the country or regional level, any data collected therefrom and processed under the data-sharing setting will not be used for ads personalization.
If you unlink Analytics and Firebase, then Firebase users no longer have access to the App + Web property.
Agency/resellers are not permitted to set the data-sharing setting or accept the controller-controller data-protection terms on behalf of their end clients. Only their end clients can enable the data-sharing setting and accept the controller-controller data-protection terms.