The risk is minimal if you control or trust both networks. A network boundary is a natural choke point for access control, so that's where it's usually implemented. For an ipv4 boundary router (as is the topic of the post) you almost certainly need to configure Network Address Translation because your internal network addresses are non-routable on the Internet (at uni my dorm had public IP addresses for each student computer, fun times).

As for the GP's example, running VM's or containers* on your own machine? I'd say the default ACCEPT policy is fine. However, silently changing such a setting on software installation is a problem because if the machine is multi-homed (i.e. has more than one network interface), you've now created a network route outside of the network admin's control.

* The default for docker and podman is to use a private network, not a bridge anyway.

Basically you're introducing a hole. For example, if you have some devices in your network (like a dodgy TV box) that are not supposed to reach the internet or other parts of the network, the computer with net.ipv4.ip_forward=1 could be used as a pivot. Depending on the routing tables you probably would also need to enable IP masquerading (NAT) to allow bidirectional communication.

that you'll get it wrong, I suppose.

after all, most routers/WAP/gateways that you buy today will have linux on the inside, configured similarly.

In almost all Linux based router setups: folks end up using 6to4 tunnels, packet marking, and interface routing priority.

Setting that up with safe/fair bandwidth-sharing requires intermediate IT skill level. Still a great hobby project =3