In this document, it says:

Depending on your organization policy configuration, the default
service account might automatically be granted the Editor role on your
project. We strongly recommend that you disable the automatic role
grant by enforcing the iam.automaticIamGrantsForDefaultServiceAccounts
organization policy constraint. If you created your organization after
May 3, 2024, this constraint is enforced by default.

If you disable the automatic role grant, you must decide which roles
to grant to the default service accounts, and then grant these roles
yourself.

If the default service account already has the Editor role, we
recommend that you replace the Editor role with less permissive roles.
To safely modify the service account’s roles, use Policy Simulator to
see the impact of the change, and then grant and revoke the
appropriate roles.

I also noticed that the Default compute service account seems to be also affected and has automatic role grant disabled by default.

What are the less permissive roles that need to be granted to the App Engine Default Service Account, and maybe also the Default compute service account, on a new project, that will allow you to successfully run gcloud app deploy?

I tried to deploy without any of the roles granted and, of course, I got a permission-related error; however, when I looked at an old project and manually granted the previously automatically granted roles, I was able to successfully deploy. I now want to follow the recommendation of Google to replace with less permissive roles, but I don’t know what those roles would be, and if it has to be for both the Default compute service account and the App Engine Default Service Account.