Content Security Policy?

I recently did a check with Webbkoll and it showed me the following Content Security Policy header:

default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-xxx';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';worker-src 'self' blob:

However, in my nginx vHost configuration I didn’t set a CSP.
I wanted to treat this topic today, but then I found this. xD

Where does this CSP come from? Where can if modify it, if needed?

I wanted to disallow the Nextcloud News App + Bookmarks App to load images from 3rd party sites.
(In general I want to most restrictive CSP as possible)

img-src 'self' data: blob:

I don’t know exactly what “data” and “blob” means?
How should I modify it to achieve the above?

I hope someone can clarify this.
Thanks!

edit: Another question but regarding the same topic:
I’ve set the

add_header X-Frame-Options deny always;

header, but now the admin panel shows a warning that is is not set to “SAMEORIGIN”.
However, deny should be more secure than sameorigin, right?