You can avoid this by allowing only specific queries in staging and production environments, this way, the introspection query can be disabled too.
Not sure if this violates the GraphQL spec though, because, ideally the server supports introspection, but it is disabled in some cases for safety reasons.
But if your limiting to only a whitelist of queries what's the difference vs a standard API? You might as well then just have a REST endpoint with the query defined on the server if your only allowing certain queries. Get your Javascript dev's to write a Node service or equivalent with the query logic inside it; that way the query logic doesn't need to be replicated per client.
This is where GraphQL shines. You give your developer a schema and "they" choose the queries and mutations they want to make to make their life easy. Also, there's very less friction because the GraphQL schema can be completely documented.
And while going to prod, you just allow the queries that are being used, disable rest.
Not sure if this violates the GraphQL spec though, because, ideally the server supports introspection, but it is disabled in some cases for safety reasons.