I'd love to allowlist the queries my actual app sends so malicious actors can't put together expensive queries manually!