Yes, this is true.
Yes, he can.
I don’t have much experience with graphql but if the user has the permissions, he can do whatever he wants. He can for example fire up Postman and achieve the same result through the REST API.
I would create an API route to handle liking and such, you can find more information about creating routes, controllers and doing backend logics here ( Backend customization - Strapi Developer Documentation)
You can also create a policy to prevent users from modifying posts where they are not the author of.
( [Backend customization - Strapi Developer Documentation] - Also from the link above
And I would suggest restricting users from the update permission and just write your own logic on the backend.
Added another example/tutorial from the docs: Is Owner - Strapi Developer Documentation