This argument sometimes comes from bad design of a REST API. See my answer on this other topic:
In resume, when designing a REST API endpoint for a resource nothing stops a developer from accepting a query parameter with the list of fields to be returned in the response, plus the list of sub-resources and their fields:
apibaas.io/some/endpoint?resource=posts:author;title;content,comments:author;content
Now, to group unrelated resources GraphQL as an advantage, but nothing stops you from having an API endpoints like this:
apibaas.io/some/endpoint?resources=categories:title,products:title;description;content;price,promotions:title,description,price,discount
Now, if you say that GraphQL query language looks better in terms of ergonomics I have to agree with you, but REST APIs are superior in terms of enforcing security via OpenAPI specs and prevent an attacker to dump a lot of data in a simple GraphQL request.
Put it simple GraphQL puts convenience over security due to its design. GraphQL is the nightmare of security teams and the dream of frontend devs.