Service: any; Application: application-default
This will allow any application but only on their default ports. For example if the firewall sees 'ssl' it is only allowed on port 443/tcp.
Service:any; Application: any
This will allow absolutely any, so compared to application-default 'ssl' is allowed on any port for example.
Hope this helps