The "default-csp" setting:
If this setting is an empty string or is omitted, then the following default Content Security Policy is used:
default-src 'self' data:; script-src 'self' 'nonce-$nonce'; style-src 'self' 'unsafe-inline';
The default CSP is recommended. The main reason to change this setting would be to add CDNs from which it is safe to load additional content.