You are somewhat right here, it should probably be disabled by default, but I believe you're misinterpreting what the docs say.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
The default is βyesβ. Note that disabling TCP
forwarding does not improve security unless users
are also denied shell access, as they can always
install their own forwarders.
Basically this says, disabling TCP forwarding doesn't add any real security UNLESS your users don't have shell access. This is not a throwaway statment because many SSH accounts do not have shell access. For example, my Rsync.net backup account allows me to access it over ssh, but I can only run predetermined commands, that are deemed safe by the sysadmin (ls, cp, mv, etc, AND in a jail). So in this case disabling it WOULD add security, since I don't have real shell access.
Also, it is quite easy to install a tcp forwarder as long as you have some access to any real language interpreter.
At my university, they throttled speeds for the residential network, so I compiled a simple java socks proxy and ran it on one of their servers that I had student access to, which allowed me to bypass the speed restriction. Hell, if you wanted to, you could cook something up with bash and netcat.
To summarize, this is a great feature to have, and also one I use often. At most, it should be disabled by default, but in most cases it won't matter since people who can use it usually have shells too.
And really, this is what sysadmins get paid to do!
Actually, I read the full article and not "one throwaway line." The one line that I quoted is the crux of your argument against the implementor's decision to allow forwarding by default. Don't know what you mean by the "actual meat."
