I've been playing with getting a Postgres/GraphQL system working recently too. I decided that the definitions of the "edges" in the schema itself should declare what the user/viewer is capable of fetching via the GraphQL.
I started a very naive implementation of A-Relay-Like-Architecture (Arla) and built todomvc with it[1].... schema.js[2] declares the schema/nodes as well as the 'calls/edges' available for each node, which allows you to limit the visible rows/columns based on the $viewer id.
It's all a bit of an experiment... but I'm liking the GraphQL pattern so far.
I started a very naive implementation of A-Relay-Like-Architecture (Arla) and built todomvc with it[1].... schema.js[2] declares the schema/nodes as well as the 'calls/edges' available for each node, which allows you to limit the visible rows/columns based on the $viewer id.
It's all a bit of an experiment... but I'm liking the GraphQL pattern so far.
[1] https://github.com/kiloe/arla-todomvc [2] https://github.com/kiloe/arla-todomvc/blob/master/schema.js