Well, setups using forced commands are relatively common with SSH (case in point: probably any Git server you've ever accessed over SSH); if one of those setups also allowed their user to specify ssh_config rules without realizing that Match can exec things there'd be a problem. I think that's a bit of a stretch though.
The ForcedCommand is server-side, the Match exec from ssh_config is done client-side. The server has no way to enforce which commands the client can run locally.
