Everything is said in the subject of this blog post! I don’t know whether it’s a by design issue or a bug but facts show that AddIn-Only Policy calls cannot read items in draft status. I wasn’t aware of that restriction and I
can’t find any official documentation stating this.
How could it be a problem? If you build a third-party tool that makes some monitoring on the host web such as collecting the amount of documents that are not published for instance, you’re likely going to build a job (scheduled job in Azure for instance) that will connect to 365 using the app credentials since no user context will be available.
In that case, at the time of writing, your app won’t be able to tackle draft items although you gave it full control. As soon as you inject a user context into it, you can see draft items providing the user has enough privileges to do so.