You can spin up several different Dgraph Clusters. And reduce the access to the Prod one when comes time. Also, never let your devs play around with the prod data. For data regulations, this could be a huge problem.
The Poor Man’s ACL will cover this. We already have it protecting Alter and other admin APIs. But soon it will protect Query and Mutations.
Yes. If you use the Auth feature you are safe to use in any GraphQL client out there. Dgraph’s GraphQL is an automated GraphQL API. So almost no coding is necessary to have a fully functional business logic.