If you see the note here: Back-end customization | Strapi Documentation
WARNING
To apply policies with GraphQL please see the following guide.
Which links to here: https://strapi.io/documentation/developer-docs/latest/development/plugins/graphql.html#customize-the-graphql-schema but yes policies can be applied to GraphQL as well.