is using default-src * safe?

I have a website to do security testing. The CSP is as follows.

default-src * ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: ; font-src 'self' data: 

As per my understanding, default-src * ; loads everything such as script, html and so from any domain. Is it safe to do? The web app loads third party scripts, images and css from only the three domains as mentioned in the policy. In that case default-src 'self' would suffice?

Also, what threat usage of data: could create? Does it break the application if I remove that?