I've never used GraphQL extensively in my projects, but my main concern would be rate limiting and malicious queries. It must be a lot harder than with REST, but I'm guessing that the industry found a way to workaround that.