**Single Endpoint:** Typically `/graphql`, making traditional URL-based security rules ineffective. - **Client-Controlled Queries:** Clients determine what data to fetch, creating excessive data exposure risks if the schema exposes sensitive fields. - **Introspection:** GraphQL's built-in schema int