This article is silly. You can't grab low ports without root. This setting does nothing because users have privileges to grab high ports anyway. For example, they can write simple scripts to listen instead of using SSH for it.
On the other hand, SSH forwarding is extremely useful and serves as a nice alternative to VPN when you need it.
Maybe you didn't read carefully enough. Users who don't have shell access probably should not be able to proxy traffic through the server, but OpenSSH allows it by default.
Being flippant for a minute, if you want your users to have access to a box but not have a shell, a tool called "secure shell" may not be the wisest choice.
Setting the default to frankly crippling levels for the primary function of a tool to accommodate an edge case seems slightly backwards to me. Host firewalls and/or disabling the option seem to be an acceptable set of hardening tasks if that use case is relevant to you.
1) Nonshell use only -- you want port forwarding turned off. Unless you're using the machine as a proxy, it's just waiting to be used as part of a larger hack scheme.
2) Shell use only -- Normal logging in and shell use doesn't necessitate port forwarding. The only time it is generally useful is for forwarding X11 back to the client, but frankly that's not nearly as useful as it was 10 years ago. If you've got an X install on your server, and an X server on your client, then you're in a sufficiently-select subset of the user population to have to turn on one config option in sshd_config.
In either case, I think it should be turned off by default.
On the other hand, SSH forwarding is extremely useful and serves as a nice alternative to VPN when you need it.