I was responding to someone who was talking about one-by-one checks in REST. It is in fact true that using one-by-one checks in GraphQL is pretty similar to using them in REST.

You can do the equivalent of applying middleware at a routing level in GraphQL by wrapping multiple resolvers, although the semantics will be different because you're not working with a tree of routes and so you'll need to group your resolvers together in some other way. In the Node.js libraries a resolver is just a function, so you can very easily wrap a bunch of them in another function:

    // auth.js
    export const checkParent = (permission, fn) => (parent, args, ctx) => {
      ctx.can(permission, parent); // CASL
      return fn(parent, args, ctx);
    };

    // resolvers.js
    import * as auth from './auth';
    export const resolvers = {
      // could also iterate over all the resolvers within User using Object.entries and apply auth.checkParent if you wanted
      User: {
        photoURLs: auth.checkParent('read', (parent, _, ctx) => {
          return parent.getSignedPhotoURLs();
        }),
      },
      Query: {
        user: async (_, { id }, ctx) => {
          const user = await ctx.db.users.getById(id);
          ctx.can('read', user);
          return user;
        },
      },
    };

I'm not sure what you mean by "deny requests automatically" because there's obviously no manual step here, and equally obviously I'm not sure what you mean by "scenarios [I] never considered". Are you talking about rate limiting or heuristic detection? You can do those in GraphQL too.

Yes, this stuff is slightly different, but it's genuinely not that hard to secure a GraphQL API.