The hub is configured in router mode, effectively with a default route pointing to the LAN (Browsing Firewall)

Thanks for the reply @Ryan_Miles .
Perfect, then we can say that to carry the default traffic (0.0.0.0./0) to another Firewall device that is on the same LAN as our Hub, it is necessary to have the propagated route 0.0.0.0/0 via the navigation Firewall.

Would it be necessary to propagate it through the auto-vpn?

Yes it would be required to be enabled within the VPN config.

I have the same question as OP, but I still don't understand.

Hub has default route pointed toward LAN, and it is advertised into auto-vpn fabric - on the spoke VPN config, what does the checkbox for "IPv4 Default Route" exactly do?  I'm already default routing from the hub, as 0.0.0.0/0 is advertised into the VPN fabric.  It would appear as if this feature does nothing, in this instance.  I couldn't get an answer to this from my SE, or support.  

If I'm not mistaken I think the key difference would be this. And this is specifically for a Routed mode hub as Concentrator mode only has one interface/one route out from itself.

With a Routed mode hub if you select default route on a spoke it would send all traffic to the hub. But then traffic would egress back out of the hub WAN interface unless there was a more specific route to some other destination.

Whereas if the hub has a 0/0 static route to a LAN side next hop and that's enabled in the VPN then traffic from the spoke would go to the hub then follow the next hop to the LAN side IP.

Others can check my work and chime in if I'm off base.

I've tried to capture the main points & differences in this deck

I am using routed mode hubs, and the default route on each DOES point to a core switch on the LAN side.

It's been like 7 months since I tested this, but if I remember correctly, I didn't need to even check the box on the spoke for them to follow my default route to the hubs, since the hubs were already advertising a default AND it was visible in the route table.  During a maintenance window, I checked the box, and then disabled 0.0.0.0/0 on the hubs from being advertised into VPN fabric, but this broke the path, so no matter what, it appears I must announce a 0.0.0.0/0 from the hubs.  From my perspective, this feature doesn't do anything at all.

If already advertising a 0/0 from the hub I would agree that checking the default route box is probably redundant.

I think I understand now.  I think this feature is to be used when you're using the hub as your internet egress point, because you don't actually have a 0.0.0.0/0 route to advertise into auto-vpn in that instance.  You just have the "baked in" default route on the MX hub from it having an internet connection.  When you have a static default to the core switch, you're advertising that into auto-vpn, and therefore you don't need the box checked and it is indeed redundant.  thanks for the replies!