When you say backend, are you talking about lamdas? I got backlash for pointing out that there should be no need for @auth directive when calling the query / mutation on a lambda. That query itself should be secured by you before it is run.
This would be a breaking change (even though it makes more sense), so I have not yet seen any support for this by my request.
However, you can run DQL on the backend (you have to learn it) without @auth directive necessity. In a week or so, it will also support JSON Mutations…
But to answer your question, a backend should never need @auth rules. However you are calling that backend should (or be secure). At least in all standard software products…
J