No authentication system is used to access a GraphQL endpoint. Why?

The GraphQL API is used to deliver public data under an end user context.

Because of the above, it is not mandoratory to protect a GraphQL endpoint since the data available through it are not private data. Indeed, those data are the ones displayed on the end-user interface (Web, Mobile, and SmartTV applications). It means that it is very easy for a specialized tool or robot to get all the content present on the Website (the term of "scrapping" is commonly used).

To conclude, the access to a GraphQL endpoint without any authentication system should not be a problem, since the main issue being that all the content displayed on a Website can be retrieved by any kind of dedicated tool or robot.