While I have also seen many poorly secured GraphQL API:s, this seems like an unfair criticism. To me GraphQL is mostly an alternative to REST, which also has no authorization or authentication by default, that is a orthogonal concern, but you can hardly blame REST for that.