In it’ default configuration all incoming connections are blocked. So, yes, you’ll need to set rules for services that should be accessible from the outside.
That’s pretty much the reason for enabling by default.
Sometimes you install software where you don’t even know it’s listening on some ports on your network interface.
Just as an example: I remember some case where someone (on this forum it was even I guess) installed docker on his machine and the REST-API service was enabled (not sure if that was the default setting or not). Without firewall anyone in your network can connect to and do nasty things.
Of course software should not be vulnerable like this in the first place… Still the FW would have helped in this case as an additional security measure.
On the other hand it would probably also create more “confusion” having it enabled by default.
“Hey I’ve configured sshd on my machine but can’t connect from another PC”.
“I run an HTTP server on my Manjaro, but it does not load from my 2nd PC”.
Security vs. convenience.
Unfortunately nowadays the tendency is that there more and more “evil players in the game”.
Maybe not (yet) really relevant for the normal linux user though (if you don’t run MS exchange )