[al2o3cr]

    Allows clients to use the same APIs as backend services.

Whether this counts as a bug or a feature depends on your APIs. I'm currently unfucking a suite of applications which bought into "your SPAs can just call backend services directly!" without getting a better security model - so the SPAs use hard-coded tokens that don't do any authorization, just like the backend services... facepalm

[euyyn]

Sounds like those backend services needed better security too. It seems orthogonal to whether you have 3 different API surfaces (one for web, one for mobile app, one for backend servers), or the same for all. At Google, gRPC allowed us to move from the former to the latter.

[andrewingram]

Personally I consider it a bug, but I was trying to avoid being too dogmatic in my comment, given it's clear i'm already decidedly biased in favour of GraphQL.