Is "*" or the server's URI the default value for Access-Control-Allow-Origin header? If the header is not set, does it mean that every origin has access to the resource?
There is no default value.
If it isn't set, then it isn't set. If it is set, then it must have an explicit value.
If the header is not set, does it mean that every origin has access to the resource?
No. It means that the Same Origin Policy is enforced as normal. No origins are granted permission.
the server's URI
There is no reason to ever set the Access-Control-Allow-Origin to be the server's own URL. Same Origin requests don't need permission from CORS.