Server
Pick one of these profile if you are the developer of a GraphQL server library/framework.
For most users, the server default should be First-party API — APIs intended to power their own websites and applications only (and reject external requests). This is the right baseline for the majority of GraphQL deployments where clients are controlled by the same organization. It's also much easier to open an API up later than it is to lock it down later!
Use Third-party API only when untrusted external clients must be allowed to send arbitrary documents (for example the GitHub or Shopify public APIs).