Default policy for OUTPUT
Solution 1:
The "risk" is that any process on the machine is then allowed to initiate a network connection and send network packets.
That means there is nothing on the server to block any user, legitimate or not, nor any process from potentially trying to connect any other networked device within your own network or possibly the whole internet.
Often that isn't much of a problem, it is considered the responsibility of the remote systems to restrict incoming traffic in the first place and you might have firewall policies already on critical points in your network.
Setting the default policy to anything else, for instance REJECT, means that you will need to explicitly authorise all legitimate traffic flows, which requires a thorough understanding of your system and all applications and dependancies that run on your server. Often that means a considerable administrative burden.
The benefit is of course that the potential impact of misconfigured application is mitigated, it might make it more difficult to abuse a system, although on a thoroughly compromised system the attacker can always simply switch off a software firewall...
From a security perspective it is of course quite simple, anything that isn't explicitly allowed is to be denied. That makes a lot of sense in an environment with strong security requirements and for instance on a dedicated firewall, on a multi-purpose server doing so might be prohibitively difficult.