The GraphQL endpoint, which can return any piece of data accessible through the schema, could potentially allow malicious actors to retrieve private information. Hence, we must implement security measures to protect the data.
With access control lists, we can define who can access each operation, field and directive in the schema:
Disable access to everyone
Grant access if the user is logged-in, or logged-out
Grant access if the user has some role
Grant access if the user has some capability
Grant access if the visitor comes from some IP or IP range