Tableau server employs best practice security, in which all users are automatically denied permissions to any given content unless stated otherwise. As shown in the Tableau help page diagram below:
Each permission represents a bundle of underlying capabilities. Each capability provides the option to grant access to a particular function or service within the server e.g. the ability to: comment, edit, delete, etc. Therefore, capabilities are used to grant users different levels of authority with regards to content where needed.
Here we can see different groups have different capabilities within the workbook. These groups each contain different users within the server. Both 'SALES Directors' and 'Robson Hemans-Alexander' have all possible capabilities as due their role as Administer. Each groups capabilities are customisable, although templates are also available. In the above example we can see that 'ALL Users' are denied from View Comments and Add Comments within the Workbooks tab.
The 'Content permissions: Locked including nested projects' (Top left hand corner) option will automatically apply these set of capabilities to all current and future content held within the given project/folder, however these capabilities will still be changeable in the nested folders. If unlocked, then these options will not be default for your nested projects.