This was an intentional design decision. We wanted to make sure that the same report would appear the same when viewed by two different people. One of the main enhancements to our previous reporting system was the ability to send someone a link to a report and be assured that the report would be viewed the same by all viewers.
We have added a parameter that will restrict the results to only the snapshots that the user has permissions to see.
If you add &removeUnauthorizedSnapshots=true to the url of the request it will filter out the responses you want without having to provide every single project.