hehe, you asked for efficiency and @amaster507 answered…
This is the same thing 1) and 2) here.
This will not work as expected, since you cannot prevent the @hasInverse field from being updated, which keeps the app unsecured.
Your only workaround here is to create a custom mutation that can just update the user information with dql, and lock the whole field otherwise to admins-only. This is why @zmajew is completely right on this thread.
J