GraphQL was once hailed as a game-changing technology, but my perspective has shifted over time due to its implications on security, performance, and maintainability. Exposing a query language to clients can increase the attack surface, leading to potential vulnerabilities and burdensome security measures. Rate limiting queries can be challenging, with the possibility of complex calculations and cyclical schemas causing issues. Performance problems, such as the N+1 problem and authorisation issues, can arise, requiring defensive measures like the Dataloader pattern. The complexity introduced by these issues makes GraphQL less appealing compared to simpler REST solutions. Instead, for those who control all clients and value self-documenting type safety, an OpenAPI 3.0+ compliant JSON REST API could be a more straightforward alternative.
https://bessey.dev/blog/2024/05/24/why-im-over-graphql/