Thanks for your considerations !
I think this would be another helpful option
--endpoint-mode=graphql | classic | classic+auth
Then it would be “opt-in” and those who find it too restrictive would automatically avoid it.
There is also an accepted issue about this. Maybe the discussion about what to call the flags and if you want to offer a poorman’s auth option for the endpoints belongs there…
Side question:
Does the term “Poor man’s auth” refer only to protecting the /alter endpoint with a static token, or does it also include the @auth GraphQL directives?