Use resolversConfig rather than disabling REST endpoints

As Strapi requires global access to give permissions on sub-objects at the GQL level, we had to give broad permissions on certain models which we then secured with policies on the GQL side and disabled for the REST API in https: //git.octree.ch/p/caroster/-/blob/main/backend/src/index.ts?ref_type=heads.

To make it cleaner and more secure, we can see if it is relevant to instead use the auth field at the resolversConfig level.