The CA Top Secret Release 16.0 documentation says :

VERIFY | NOVERIFY Is ignored at CA Top Secret Release 16 and higher.

Does this mean that JES(VERIFY) is the default ?

In the CA Top Secret parameter file, JES(NOVERIFY) is still specified. 

TSS9661I CA TOP SECRET JES STATUS
 JCT(INDEV=0328,ROUTE=0324,NJHDR=0000)
 JES(SSID=JES2,TYPE=JES2,LEVEL=Z/OS 2.1,NOVERIFY)
 JESNODE(*NONE*) NJEUSR(NJE)
 JOBACID(U,8,0) SUBACID(U,8)

Release:
Component: TSSMVS

When Top Secret 16.0 went GA, JES(NOVERIFY) was no longer supported, however, this introduced an issue for some sites that use JES2 exits.
To alleviate this and other issues, the following Top Secret PTFs were written: 

RO88932 - Restores JES(NOVERIFY) processing to insert the USER= parameter on all jobs submitted. (NOTE: The PASSWORD= parameter is not inserted.)

SO04024, SO04627, and SO05230 - Add support for IBM maintenance OA53954/OA53955.

SO04936 - Add support for JES_NJE_SECURITY OA49171 NODE CHECKING.

So now JES(NOVERIFY) is supported, but Top Secret will only insert the USER= parameter, NOT the PASSWORD= parameter, on the jobcard.
The submitting ACID will always be checked by Top Secret.