GH actions and their access rights

I’m trying to figure out what is the bare minimum in terms access rights that GitHub action has to have when no extra parameters are passed in a workflow file.
For example:
steps:
- uses: actions/checkout@v2

Is that a GH token that allows to read and write to repository?
The github doc says “To use the GITHUB_TOKEN secret, you must reference it in your workflow file.”
[Authentication in a workflow - GitHub Docs]
So is that true or not?
I can see that in this case the GITHUB_TOKEN is not passed to an action in a workflow file. It is simply referenced in its source code: https://github.com/actions/checkout/blob/25a956c84d5dd820d28caab9f86b8d183aeeff3d/action.yml#L24

When I use third party software to support specific action is it possible and reasonable to make sure it does not have full read/write access to the repository?