The keyserver stuff just pertains to how to look up public keys you don’t have locally. I basically never use it.
You do need a gpg-agent to use gpg at all. gpg will not function without an agent since a while back, though it will start one on the fly if it doesn’t find one already running (which I turn off with no-autostart
since it can muck up my systemd-started instance).
You can set the main key to have only cert capabilities if you want. However the other 3 roles are en/decrypt, sign, and authenticate. Encrypt and decrypt happen with the same subkey, though obviously one happens with the public key and one with the private. “Authenticate” is used if you set up ssh-agent emulation. It’s fundamentally also a kind of signing, but since the intended use has different security properties it gets its own category.
default-key always points to the main key, not subkeys. As a rule, you basically never refer to subkeys directly in gpg stuff. The subkey marked with the appropriate role will still be used.