[jondubois]

One problem with GraphQL is that there can some overlap between the results of different queries so it can be wasteful. Also access control is more difficult because a GraphQL query might reference multiple different data types which have different access control rules (a user may only be allowed to see part of the query result) - So it makes access control a lot more complicated.

[lwansbrough]

Facebook has a solution for over-fetching, which they call dataloader.

As for the access control problem: it's easily solved with existing features of GraphQL. GraphQL exposes a user context which can be referenced on a per-property basis and thus used to check the permissions of the user.

[yen223]

Those aren't trivial problems to solve in a traditional REST framework either. In GraphQL, having one whole query delivered upfront means the server can do some clever query-planning and app-level caching to efficiently fetch its required data. REST endpoints can't do that, since the queries will be spread across multiple network requests.