My point is that giving expressive power to your front end developer puts that expressive power in the hands of an end user as well. So you have to be very careful with that power, and I assert that most people are not. Facebook apparently uses an exhaustive query whitelist to lock down their GraphQL end points, but the vast majority of people jumping on the GraphQL bandwagon aren't going to do that, and likely have little understanding of the security implications for not doing it.
A truly REST-ful hypermedia API eliminates this issue by moving the construction of the hypermedia server side, which is a trusted computing environment and which allows you to give the developers a fully developed and arbitrarily powerful query language like SQL. Doing so does not put that query language in the hands of end users, in contrast with things like GraphQL.
A truly REST-ful hypermedia API eliminates this issue by moving the construction of the hypermedia server side, which is a trusted computing environment and which allows you to give the developers a fully developed and arbitrarily powerful query language like SQL. Doing so does not put that query language in the hands of end users, in contrast with things like GraphQL.