Have I been really dim?..
My head was in a ‘secure an API end-point’ frame of mind i.e. the query needs @auth rules applied but it just clicked that in /Graph @auth rules are applied at the type level not the query level and therefore will inherently be applied to nested arrays of types within a query.
Is that right or have i still missed the @auth model in /graph?
Thanks in advance