By default, a newly created security group in a VPC denies all inbound traffic until you create inbound traffic rules allowing it. This security measure ensures that no unintended services are exposed unless explicitly allowed by the architect or administrator. The 'deny all' default helps in maintaining a secure network posture aligning with the principle of least privilege.