You are completely right that the only secure usage of GraphQL API is with all @custom mutations. Lambda should not be the patch for GrpahQL API security issues, but a helper for the implementation of the more complex operations upon the database. That approach is not responsible and professional.
If the Dgraph team is aware of those basic (!!!) security issues they should put it in the documentation as a temp solution until the proper GraphQL API solutions are there. Otherwise, Dgraph becomes a time-consuming product more than writing our own old fashion backend. Without that in the documentation, their TODO example stays on the level of the ‘Hello World’ example.
From the topic you created, I see that you have some suggestions. I am a Go developer and I hope to find a time to look into it more deeply, but from some of the answers you have got from the Dgraph team I first have to find a motiv. I just cannot understand that someone has to be even persuaded into this. The only proper answer to this from the team should be “Yeah, yeah, we are on it”.