GraphQL itself does not perform access control for you, for the same reasons that GraphQL does not fetch your data for you - it leaves this up to you for maximum flexibility.
Most GraphQL servers have a concept of "context" which lets you provide an extra value to every field resolver during a query, and this is designed for exactly this case: the context is a perfect place to provide the "logged-in user" or "ACL roles" or whatever you like to call your authentication data.
Then in your field resolvers, you have access to this authentication data to decide if it's better to return null if the authed user shouldn't be able to access the value.