As mentioned in the Workflow Approval docs:

https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks

By default, all first-time contributors require approval to run workflows.

I think this default behavior is great and makes sense! Please consider allowing second-time+ contributors to run workflows on push, as it really helps reduce iteration time.