Why the Default Policy should be the most restrictive

The Default policy is the landing policy for all traffic that doesn't have a rule moving it to a different policy. Because of this and depending on your network policies, you may either want this to be the most restrictive policy, or the least restrictive. 

Making the Default the most restrictive policy ensures that no one is allowed access to websites and apps that they shouldn't be until they are validated as a user on your network.