Yes, auth rules are applied at type level. You may add different auth rules for adding, deleting, updating and querying a data type.
This is not completely true.
Example:
Consultancy has a query auth rule defined and Engagement does not have any auth rule.
This will only put all objects of type Consultancy behind auth rules. Objects of type Engagement, even if part of some consultancy won’t be behind any auth rules.
This means that querying queryConsultancy with unsatisfied auth rule, no data will be returned. But as Engagement does not have any auth rules, data will be returned while querying queryEngagement.