A non-admin user account with a decent password to log on to the device is the first line of defence. As to Firefox, you have two options.

In Settings, Privacy and Security, come out of default private browsing mode and, under Cookies and Site Data, check the delete cookies and site data when Firefox is closed option. This gives you an option to Manage Exceptions, setting up a whitelist of sites which are allowed to save login details in a cookie. Any site not on the whitelist should have its cookies deleted when Firefox is closed.

Alternatively, under Logins and Passwords, check the Ask to save option but use the exceptions option to set up a blacklist of websites which should never have logins and passwords saved.