People saying "the FOWARD chain defaults to ACCEPT" are missing the deeper point: with the kconfig most distros use, the filtering code doesn't even exist at all until you load the kernel modules!

At the lowest level, it is impossible to have a default DROP for forwarding, because nftables is an optional piece of the kernel that often isn't loaded.