If you want to restrict GraphQL access only to a selection of your DatoCMS models, you can generate a custom API token and assign to it a custom role.