The other thing to check with be how they are authenticating. Most likley they are doing a proper auth flow, but classic also allowed the session id cookie to be used for API auth which was not recommended but possible in older instances of classic. To further protect the API and data, Aurora does not allow this to be used to authenticate APIs requests.
They replied to say "We are not using the REST API to get the results, we are directly querying the SQL from Java class."
I'm 99% sure they are using LiQL as we don't allow direct SQL queries even from Java in the application. LiQL looks deceptively like SQL even to the point of security teams raising concerns about direct SQL queries which should not be allowed that ended up being LiQL.
LiQL was created as a Lithium query language used to make it easier to query specific data fields from a REST endpoint. It was modeled after SQL queries but wrapped and limited queries to safe query parameters.
GraphQL is a more industry standardized API query language rather than a proprietary Lithium capability. GraphQL queries are still passed through typical HTTP requests and are basically wrapped REST API calls not all that different than anyone using REST/LiQL.
In your case, it sounds like the query is being made from a Java class. I assume this is a Java class you own and I assume it runs outside of the community application, so it should still be able to leverage LiQL for the time being and graphql in the future with minimal effort to update the query.
