You can’t trust that a web client has not been compromised.
The only safe bet is to assume that any API that you expose to your web client is being directly used as an API.
The client side javascript code for a site makes great documentation for attacking your server.
A simple `wget -r URL will give you the html, css and javascript of most of the site.
The internal urls are stored in the javascript along with any of the graphql queries that you are using.
Developer tools in the browser plus a simple graphql client tool can give you access to far more than you expect.
Developer Rants 