@jerber - I think it depends on your use case.
Protecting a user from querying a certain field is not possible yet without creating a new node, and blocking the entire node with an @auth rule.
However, this should be possible for mutations when the update-after validation is hopefully released in the near future with something like this:
queryUsers(filter: { not: { has: role } }
Which would keep a user from updating their role i.e.
This should be possible now for add mutations, but they could easily get updated until this feature is added.
This is sort of a backend way of securing the field, but hopefully one day this feature will be added as a standalone security rule as well.
J