Data ownership policies and GraphQL

It seems that when GraphQL is enabled, any authenticated user can fetch all the data in the system without a filter. And since Data-ownership is still a workaround, not an inbuilt feature, how do you cope with (or what are the best practices) for data ownership for both REST and GraphQL?