Is this added just to explicitly state that no extra permissions are granted (I would assume that's already the default)?

Is this added just to explicitly state that no extra permissions are granted

Yes.

(I would assume that's already the default)?

No, see below.

Furthermore, users often don't realize that the default GITHUB_TOKEN permissions can be very broad, meaning that workflows that don't configure any permissions at all can still provide excessive credentials to their individual jobs.

...

In practice, this means that workflows should almost always set permissions: {} at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed.

https://woodruffw.github.io/zizmor/audits/#excessive-permissions

The default access (permissive) is read/write for most of the scopes:

https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Thanks for the explanation, this is good to know!

So the default permissions are too permissive, the contents: read that was explicitly set before was still not needed, and the permissions: {} we have now disables all permissions.