You can use Poor-man’s auth* https://dgraph.io/docs/deploy/dgraph-administration/. In the future(no so long) it will protect queries and mutations. Not sure when this will be implemented.
Also, you can protect your DB using some technics like a reverse proxy, firewall. And the must recommended one, create an API in front of Dgraph and never expose the instances.