We have a flag which can turn off mutations, so only read-only queries would be run on the server. We should have such a flag set for our demo server – though I’ll have to double check if that’s the case. Otherwise, you’re right. Someone can just send bad data and mess it up – it won’t corrupt the database per se, the data would just be wrong.
Feel free to send me an email if you want at manish@dgraph.io.