Yes, nonces should always be used when an authenticated user is triggering an action via a GET/POST request. One of the main purposes of the nonce is it ensure that the current user actually intended to trigger this request. It prevents the security vulnerability known as Cross-Site Request Forgery (CSRF), where an attacker can trick an authenticated user into taking an action they didn’t intend to. Checking for a valid nonce prevents this, because the attacker cannot guess the nonce, so they can’t forge a form submission request and trick an admin into submitting it.
Note that the the attacker doesn’t have to have access to the form itself, as your plugin presents it, in order to perform this attack. They can create their own imitation form or trigger the request in another way.