The "default-csp" setting:
The text of the Content Security Policy that is included in the Content-Security-Policy: header field of the HTTP reply and in the default HTML <head> section that is added when the skin header does not specify a <head> section. The text "$nonce" is replaced by the random nonce that is created for each web page.
If this setting is an empty string or is omitted, then the following default Content Security Policy is used:
default-src 'self' data:; script-src 'self' 'nonce-$nonce'; style-src 'self' 'unsafe-inline'; img-src * data:;
The default CSP is recommended. The main reason to change this setting would be to add CDNs from which it is safe to load additional content.