The client doesn't create queries in this situation, you explicitly define them server-side. So optimization is easier. I've seen this time and again with services that aren't GraphQL but tried to provide a semi-freeform query feature; if you only have a few clients and control them all, it's way easier to just make separate endpoints for whatever they need. If you have many clients, maybe GraphQL makes sense.

Auth on leaf nodes, maybe I'm not understanding the issue but it seems solved without GraphQL. JWTs are one way.