That’s part of the problem.
For example: The storage API is built directly on top of the AWS S3 SDK which requires IAM credentials. These typically come from Cognito Identity Pools and there’s no simple way to set a policy that’s specific for one user.
There are also issues with the way AppSync and the GraphQL Transformers work.
I think Amplify is really great fit for certain use cases. My prediction is that we’re eventually going to see a major re-design in the architecture. When that happens it’s potentially going to be like switching from Rails 2 -> 3 (A migrations so difficult that many stayed on 2 while others simply re-wrote for 3)