Security rules don’t filter data. So that means that in your current data model you indeed have to perform two read operations.

The common solution is to separate the public and “slightly less” public settings into two top-level nodes:

"Settings":{ 
    ".read": "auth != null",
    ".write": "root.child('Users').child(auth.uid).child('rank').val() == 3",
},
"PublicSettings":{ 
    ".read": true,
    ".write": "root.child('Users').child(auth.uid).child('rank').val() == 3",
},

Now all users will have to perform two reads, one for the auth-requiring settings and one for the public settings. But it will now require two reads, no matter how many public properties you define.

there is a table called Settings in my database and in my security rules, only two of the children can be accessed by non auth user.

  "Settings":{ 
    ".read": "auth != null",
    ".write": "root.child('Users').child(auth.uid).child('rank').val() == 3",
    "$id":{
      ".read": "$id == 'maintenance' || $id == 'welcomeList'"
    }
},

But this way I can not get settings using one query like below:

settingsRef.addValueEventListener(new ValueEventListener() {
    @Override
    public void onDataChange(@NonNull DataSnapshot dataSnapshot) {
        settings = dataSnapshot.getValue(Settings.class));
    }
});

I have to query twice to get what I want. Is there any other way to do this? Because I am going to need more than two children in the future and I do not want to end up having 5 different queries.

settingsRef.child("maintenance").addValueEventListener(new ValueEventListener() {
    @Override
    public void onDataChange(@NonNull DataSnapshot dataSnapshot) {
        settings.setMaintenance(dataSnapshot.getValue(Integer.class));
    }
});

settingsRef.child("welcomeList").addValueEventListener(new ValueEventListener() {
    @Override
    public void onDataChange(@NonNull DataSnapshot dataSnapshot) {              
         settings.setWelcomeList(dataSnapshot.getValue());
    }
});