This is why you use it on devices and computers you own and already have password protected on the devices to login to use in the first place. Never use sync on Company computer or Laptop as anything you do on there they can see and track along with passwords and sites. It's up to the user to safe guard their login/pswd before using on unsecured system that you don't own.

how does one device get the passwords and bookmarks from another device? it is done by uploading stuff somewhere. so how does it remain safe/protected of mozilla gets hacked?

Browser gets hacked because the user themselves click malware/phishing email that's how they get hacked. The Browser doesn't do the hacking it-it's the user that does it. And if the user uses Admin/Owner account without password protection is what permits malware to install and hack your system. You need to lock the Admin/Owner account with password and make a user only that can't install software or if Addons get infected one just wipes that account clean and start over if it gets infected. So at this point it's up to the user to do their homework to secure their system. If they click on clickbait links or emails then no amount of Software protection will stop as doing you give the malware permission to install and do it's damage.

I ask a simple question and get a lot of garbage answers by top contributors. I will not be giving my passwords to mozilla. this is very disappointing.

When you use Sync then all your data is encrypted locally using a key derived from the password of this Sync account before it leaves your computer and is uploaded to the Sync server. https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol