The GraphQL schema must strike a balance between public and private fields, as to avoid exposing private information in a public API.
By default, all fields in the GraphQL schema can only access public data. For instance, posts can only retrieve posts with status "publish".
In addition, we can add “sensitive” data fields and input fields to the schema, expected to be used by the admin only, enabled for a specific custom endpoint or persisted query, which can also fetch private data.
For instance, field argument posts(filter:) will contain an additional input field status, which allows us to retrieve non-published posts (eg: posts with status "pending", "draft" or "trash") for any user. Likewise, the schema will expose field Post.status, to visualize this piece of data.