Have you tried running the GraphQL query outside of auth? Meaning remove the auth rules and just try running that query by itself.
I don’t think it is a problem with the auth rule, but a possible bug in the query itself to look in a list that is potentially nil itself.