GraphQL introspection lets clients discover the entire schema by querying __schema and __type. This is invaluable during development but exposes your API surface to attackers in production: