Note that the XML-RPC API and Ajax API are legacy APIs and are no longer being developed, we recommend using the REST API instead.
In most use cases, the Ajax API is used on user-visible pages, often without any login required, and the Ajax auth token is visible in the page and can be used by anyone.
This means that listing videos can be sensitive. If there are videos on an account that are not (yet) meant to be public, these should not be accessible using the Ajax API using these auth tokens.
By default, requesting information about media is therefore restricted to videos that are moderated, and within their publishing window if one is configured. Note however that for legacy reasons it is still possible to play a video if you have the auth token and the mediaid of the video.
In most cases, the best solution is to set all media that is supposed to be user-visible to 'moderated' status using Console or the XML-RPC API.
It is also possible to create an 'administrator' Ajax auth key that allows listing all media on an account. This is intended for pages that require a login. However, these keys can still be restricted to only allow viewing (and not editing) of information.