I think my example was too complicated.
In short, if I have an @auth rule that forbids me access to Post, it works. But if I then query Author.posts, I can access the post. I would assume that each level of a nested query would need to respect auth rules, else we just can’t nest objects that have auth rules…
I can’t tell what the outcome of this thread was. Either way, I think in the thread you’re asking “How can I make it so I only see A if nested object B also exists / is authorized”, and I’m asking “Why does access to A implicitly grant access to nested object B”.