Yea, but there’s a security boundary wherein you don’t want the SSH host to be executing code in your environment. Of course, the attackers can backdoor sshd to log credentials, setup init scripts on the host to execute code every client login and other shenanigans.

Of course. So it's not really that out of the question if you are using agent forwarding, so, yeah, this is a big deal.