The FORWARD chain defaulting to ACCEPT is one of those things that bites people hard in incident investigations. A compromised host with ip_forward enabled silently becomes a pivot point — the attacker can route through it to reach internal networks that were never meant to be reachable from that segment.

Worth adding to any hardening checklist: if you don't explicitly need forwarding, set the default FORWARD policy to DROP and only whitelist the routes you actually want.