A good implementation will calculate the estimated "cost" of a given query before executing it. This is quite tricky to do well, and I doubt many people do it. Once you know the cost of a given query, it's trivial to reject it if it's too expensive.
A much better alternative is to only allow specific queries in production. These persisted queries can then be assigned an ID, and making a request is a matter of sending the ID with any variables.
It's very different. The main difference is that you define the capabilities on the back end through your GraphQL schema once, then clients generate the query ids through an automated process in development.
In the old way, someone would have to write backend code to build and maintain each individual endpoint. With GraphQL, you only maintain the schema on the backend.
A much better alternative is to only allow specific queries in production. These persisted queries can then be assigned an ID, and making a request is a matter of sending the ID with any variables.