GH actions and their access rights

I’m trying to figure out what is the bare minimum in terms access rights that GitHub action has to have when no extra parameters are passed in a workflow file.
For example:
steps:
- uses: actions/checkout@v2

Is that a GH token that allows to read and write to repository?
The github doc says “To use the GITHUB_TOKEN secret, you must reference it in your workflow file.”
[Authentication in a workflow - GitHub Docs]
So is that true or not?
I can see that in this case the GITHUB_TOKEN is not passed to an action in a workflow file. It is simply referenced in its source code: https://github.com/actions/checkout/blob/25a956c84d5dd820d28caab9f86b8d183aeeff3d/action.yml#L24

When I use third party software to support specific action is it possible and reasonable to make sure it does not have full read/write access to the repository?

The documentation (Using the GITHUB_TOKEN in a workflow) mentions this, which explains how actions/checkout gets the token:

Important: An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the GITHUB_TOKEN . For more information, see “Permissions for the GITHUB_TOKEN .”

That exception shouldn’t apply to command like tools you call. That last link also mentions how you can restrict the privileges available with the GITHUB_TOKEN.