I really hope people don’t actually have their database on the public internet. The whole point of an API layer between the web client and the database is to keep bots and other malicious users from having access to anything that isn’t strictly necessary.

GraphQL itself can be problematic if it is not used cautiously. It can encourage oversharing, simplify DOS attacks, etc. Even if you don’t provide greater access to data, you increase the algebraic complexity of the queries available to attackers, which can make abuse harder to detect.

The easiest way to use GraphQL safely is to use it internally, with a REST server on the front end which hides GraphQL queries behind a public REST interface. Otherwise it’s best to carefully craft the GraphQL API with security in mind.