The referrer-policy fallback is no-referrer in the helmet project (codebase-link).
But the latest docs have updated the fallback to strict-origin-when-cross-origin.

Source - https://w3c.github.io/webappsec-referrer-policy/#default-referrer-policy

I can work on the fix if the changes are approved

I'll take a look at this. It's probably a breaking change, too, so we should keep that in mind.

I took a look at this, and I don't think we want to do this.

Helmet's defaults aren't necessarily the defaults in the spec. no-referrer preserves privacy a bit better than strict-origin-when-cross-origin, which is why I selected it for Helmet's default. In other words, it doesn't matter what the spec says.

Does that make sense? What do you think?

I'm going to close this issue because I don't think there's more to do here. Let me know if that's wrong and I'm happy to reopen.