This work addresses the limitations of existing privacy analyses for graph neural networks, which often overlook the structural dependencies inherent in graph data and the randomness introduced by graph sampling during training, thereby failing to accurately assess node-level membership inference risks. To overcome this, the paper proposes Bayesian Membership Privacy (BMP), a novel framework that explicitly incorporates the graph sampling mechanism into the adversary’s knowledge. By formulating membership inference as a Bayesian hypothesis test, BMP integrates prior knowledge of node dependencies with sampling probabilities to compute posterior membership likelihoods, enabling fine-grained, node-level privacy quantification. Empirical evaluations on standard graph benchmarks demonstrate that BMP effectively uncovers nuanced privacy leakage patterns that conventional global attack metrics fail to detect, validating its sensitivity and practical utility.

Existing privacy analyses for Graph Neural Networks (GNNs) largely inherit assumptions from non-graph settings, overlooking structural correlations and stochastic training-graph sampling. In particular, node-dependent priors make type-I and type-II errors alone insufficient to characterize the best membership inference test. To address this, we introduce Bayesian Membership Privacy (BMP), a sampling-aware formulation of node-level membership privacy that incorporates node-dependent priors and treats graph sampling probabilities as part of the adversary's knowledge. BMP casts membership inference as a Bayesian hypothesis test and accordingly quantifies membership privacy in terms of posterior membership probability. We explore theoretical properties of BMP in relation to the existing definitions in the literature. We further propose a practical, sampling-aware auditing mechanism to estimate the parameters of BMP as a measure of node-level privacy leakage in GNNs. We conduct experiments on benchmark graph datasets and show that BMP yields fine-grained privacy insights that are not visible through global attack accuracy alone.