[tomnipotent]

> because all the authorization and restrictions are done on the application layer.

Which application tier? It sounds like you're using GraphQL in-memory to query the database in the same process that's creating the GraphQL query. You should be treating GraphQL as a database, and it should not exist on the same machine that's using it. This way your GraphQL app has centralized permissions & auth, and all your other apps would then be beholden to whatever you implemented.

> just using a GraphQL server as an ORM

If you're using it the way above, then yes. But that's the wrong way to use it.