It's not something I'd grab quickly, but at the same time, it looks great for doing 'pure' CRUD applications. You'll probably need serious database administration skills though, I've yet to see anyone do anything with database account and permission systems that isn't straight root access from an application.
I investigated this and a few others for quickly spinning up a back office app, and settled on postgraphile. The endpoint that is exposed from the service is authenticated and a role is then set on the request object which postgraphile then uses to set the role for the database transaction. With appropriate roles set in the database, my back office users now have fine-grained permissions for reading/writing only to tables that I want them to.
It seems to me that it's the main limitation of this solution - authorization is limited to table scope so if you can update any row, you can update all rows for all users. Same for data querying.
That's not true; you can use row level security (RLS) to control access (both reading and writing) on a per-row basis. You can think of it as similar to an implicit "where" clause that automatically gets added to all requests.
