If you look at the source of admin-ajax.php, the answer becomes clearer:
$action = $_REQUEST['action'];
if ( is_user_logged_in() ) {
// If no action is registered, return a Bad Request response.
if ( ! has_action( "wp_ajax_{$action}" ) ) {
wp_die( '0', 400 );
}
/**
* Fires authenticated Ajax actions for logged-in users.
*
* The dynamic portion of the hook name, `$action`, refers
* to the name of the Ajax action callback being fired.
*
* @since 2.1.0
*/
do_action( "wp_ajax_{$action}" );
} else {
// If no action is registered, return a Bad Request response.
if ( ! has_action( "wp_ajax_nopriv_{$action}" ) ) {
wp_die( '0', 400 );
}
/**
* Fires non-authenticated Ajax actions for logged-out users.
*
* The dynamic portion of the hook name, `$action`, refers
* to the name of the Ajax action callback being fired.
*
* @since 2.8.0
*/
do_action( "wp_ajax_nopriv_{$action}" );
}
Any code hooked to 'wp_ajax_ps-view-log'
will only run if the user is logged in. For an AJAX action to be usable by anonymous users, it would also need to be hooked to 'wp_ajax_nopriv_ps-view-log'
, and according to the code you’ve shared it is not.
So any admin-ajax.php code that is not explicitly allowed for logged-out users is protected by the same WordPress authentication that protects /wp-admin.
If you have registered users who should not have access to this endpoint, then the nonce verifies that they at least have access to a page that generates the nonce.