If no ACL is assigned to a APM session, nothing is blocked.
The main goal of ACL is to manage authorization based on user session (group membership, partners not allowed to some networks, ...)
Network firewall will manage filter based on IP, APM will manage filter based on multiple criteria. that's why the product is called Access Policy Manager :-)
ACL can be used for L4 (with Network Access) and / or for L7 (portal access, remote desktop, App Tunnel).
If a L4 ACL matches a L7 request because L4 ACL is above Portal Access ACL with SSO, action of L4 will be applied without SSO.
when working with portal access, all requests are initiated with APM IP. the firewall won't be able to filter which user is allowed to access resources.
If you don't put a default drop ACL with the higher number, a user connected to a portal access will be allowed to browse all internal resources by APM. if the APM have a default drop ACL, it will display a blocking page, if this is done by the firewall, the request will be dropped without blocking page.