Allowing command-restricted users to trivially bypass firewalls by default is insecure.
Most individuals (myself included) don't realize that SVN over SSH with command-restricted SSH keys would allow the users unmitigated access to the SVN server's network. I should know better, but still have made the mistake.
Command-restricted users are NOT the SSH default. If the sysadmin is taking the trouble to restrict the user's privileges, they need to restrict forwarding as well. By the argument that you and others make, the SSH server should not allow ANY access at all by default -- the sysadmin should apparently have to enable everything explicitly.
Given the fact that the organization responsible for creating OpenSSH has -- on more than one occasion-- left their own servers susceptible to abuse due to SSH forwarding issues, it seems reasonable to assume that the default setting most likely to prevent abuse is "off".
Most individuals (myself included) don't realize that SVN over SSH with command-restricted SSH keys would allow the users unmitigated access to the SVN server's network. I should know better, but still have made the mistake.