End points can be deployed to several different workers. The serverlibrary is only accessible server-side, the ajaxlibrary can be called from your browser, and the securelibrary can be called using the appropriate API Key.
When you publish an end point, its "Targets" tab lets you select which worker it will be deployed to.
Your default position, when publishing an end point, should be to publish it to the serverlibrary. This worker is secured so that your end point can only be called server-side by other workers. Your end point will be available to other end points, can be accessed in the default functions of form fields, and can be used in workflow process models.
End points published to the ajaxlibrary can be accessed in browser-side AJAX calls. This worker is completely public and has no security. Any end points published to the ajaxlibrary can be accessed by anything capable of accessing your website (unless they are flagged as internal).
There's also the securelibrary, which can be accessed publicly with an API Key. See Calling End Points Externally for an example.