What is the rationale for getReadOnlySchema() / copyReadOnly(schema)?

[aleksandarsusnjar]

I just started using graphql-java, graphql-java-kickstart and graphql-java-servlet. My question is why does the DefaultGraphQLSchemaProvider create a copy of the schema without mutations?

I saw a mention of preventing mutations before authentication. However, for me at least, authentication itself is a mutation and security, authorization and access control are done at fine-grain level throughout my code anyway. Furthermore, my schema isn't supposed to be a secret even to unauthenticated clients. They will be able to know all the mutations anyway. Awareness of existence of an API function isn't a factor in deciding whether the client is allowed to use it.

Is it that GraphQLSchema isn't entirely immutable? Quick check suggests that it is.

Thanks!