Add a @ResolveField() for sensitive fields and check the requesting user's permissions inside the resolver. Return null when the user lacks permission. For ABAC-based field authorization, use CASL's ability.cannot() on the field name. This ensures sensitive data is never included in the response for unauthorized users.
Return null for unauthorized fields — never throw an error; GraphQL partial results are expected.
Declare the field as nullable: true in the schema so the null return is valid.
@ResolveField() is lazy — it only runs when the client explicitly requests that field.
Use GqlExecutionContext.create(context) in guards if applying field-level guards instead of resolver logic.
CASL ability.cannot('read', subject, 'fieldName') checks the third argument as a field condition.