You don't have to expose your entire schema, instead expose carefully designed SQL views (so you can refactor your tables without breaking your API)
Read-only, obviously!
Use time limits to cut off expensive queries (GraphQL needs this too)
I genuinely did this as a joke, to wind up other developers with network tools traces.
But it worked great! Fast, maintainable, fun.