Don't most production-ready GraphQL servers have some sort of static query cost estimator that is intended to be hooked up to a rate limiter? At the bare minimum, it should be very easy to set up simple breadth+depth limits per request.

This doesn't seem meaningfully more complex than rate limiting a REST API, especially a REST API with configurable "includes."