How to hide some relational fields when using GraphQL endpoint

Questions and Answers Strapi Backend
1
System Information
  • Strapi Version: 4.1.5
  • Operating System: MacOS
  • Database: sqlite
  • Node Version: 14.17.0
  • NPM Version:
  • Yarn Version:

Hi, I am using graphql endpoint for my Strapi requests.

I have a Book collection and a user relation in it. So, when I am displaying a post, I want to display author information like name, avatar, etc.

But the problem is all user fields are exposed with graphql and I cannot disable them.
For example, anyone can update my query and fetch the current post’s author email and other data.

I’ve tried to use the field disabling feature but this didn’t work with nested/relational fields.

strapi
      .plugin('graphql')
      .service('extension')
      .shadowCRUD('api::book.book')
      .field('...')
      .disable()

I know it is possible to make email private attribute but there will be some cases I need that email.
So, it would be perfect if I hide some fields on some requests.