It's largely pointless to forbid it because once you have a byte stream (which you obviously do with ssh), you can tunnel whatever you want over it anyway. SSH own docs even point this out; man sshd_config(5):
"Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders."
