For me, the main use of agent-forwarding is that I need to use a command that expects to use SSH to get between leaf nodes. For example git or rsync CLIs that need to manipulate the local filesystem and tunnel their own protocol over SSH to talk to another remote server.
At times, I've wished for something like uMatrix but for ssh-agent forwarding, so I could have policies for which peer-to-peer authentications should be allowed for which keys and whether these specific uses should require interactive confirmation.
I now have a design in my head for something like that using ssh certificates. Since I have zero use for such a thing I would probably build it wrongly though.
At times, I've wished for something like uMatrix but for ssh-agent forwarding, so I could have policies for which peer-to-peer authentications should be allowed for which keys and whether these specific uses should require interactive confirmation.