When used on object types, dynamic access checks can only be run after the parent field has already been resolved (otherwise there would be no object to pass into the block). Unfortunately, this opens the door for a number of side- channel attacks.
Consider for example the following simplified schema definition:
class QueryRoot < GraphApi::ObjectType