I agree it would be best to avoid making your own UDF for this.
If the user calling the GraphQL api has the “logged-in” role, then the read permission should be all that is required.
Notice that the shared query also reaches into other Collections, including your Ranking and Player (I think I got it right) collections. Also, in order to use the relationships it’s also going to use the indexes generated from @relation, e.g. playerinranking_by_user. All of these other permissions must be added as well.
If all of the player and raking info is public, then that’s awesome!
If it’s not all public, then you can still provide read access to all of the indexes and then provide predicates for the collections to describe which docs are available to a certain user.
(I’m referencing this older post for assumptions about the schema)