Seems fairly good - I would consider going 25519-only if you have compatible clients for kex and auth.
Some of their concerns with SSH agent forwarding are good too - but make me wonder if writing some little GUI that would have you allow or deny authentication requests would solve the problem.
While not exactly the solution you're looking for the Mozilla OpenSSH guidelines are quite better than the default sshd_config