I looking at the docs for
add_meta_box. They used a nonce.
wp_nonce_field( plugin_basename( __FILE__ ), 'myplugin_noncename' );
I am wondering, probably the save post form itself should already have a nonce so this is redundant?
Yes, the save action has a nonce already. But you don’t know it – so you cannot validate it. Besides that, you may want to fill a meta box from other places like a user profile or the dashboard, and then you need your own nonce anyway.
An example from my current work: There is a custom post type
domicile with a booking schedule meta box. My client is the agent or broker (English is not my native language …) for the domicile and fills the schedule from the editor for the CPT. But the owners of the domiciles can fill the schedule too – from their dashboard. I just load all booking schedules they are assigned to and they edit them without ever seeing the complete data of the domicile.
Without separate nonces this would be very awkward.