But if your limiting to only a whitelist of queries what's the difference vs a standard API? You might as well then just have a REST endpoint with the query defined on the server if your only allowing certain queries. Get your Javascript dev's to write a Node service or equivalent with the query logic inside it; that way the query logic doesn't need to be replicated per client.
This is where GraphQL shines. You give your developer a schema and "they" choose the queries and mutations they want to make to make their life easy. Also, there's very less friction because the GraphQL schema can be completely documented.
And while going to prod, you just allow the queries that are being used, disable rest.
