Does it mean that no inbound access whatsoever is allowed on the instance?
No rules in a security group means that no remote IP Address can access your instance on any protocol.
However, it's important to remember that security groups are stateful. So if you have an outbound rule in your security group for eg. HTTP and you send a HTTP request from your instance to a remote HTTP server, the instance will be able to receive the response, even though port 80 is blocked by your security group.
When a connection is made to or from an instance, a "state" is created that allows bidirectional communication - but only for that connection.
You can read more about this in the docs here