MicrosoftSooo turns out it actually is possible to make Policies/Silos work across multiple forests, at least partially.
We all agree that membership in a Silo is materialized by the presence of an "AuthenticationSilo" claim in the ticket, right? And Policies "rules" can rely on silos to restrict authentication.
However claims get stripped when "crossing into another forest" via a trust relationship. This isn't unique to silos; it affects any claim.
So, if we could pass those claims to the target forest, one would thing it might work...
Well, turns out it's possible by defining an AD Claim Transform Policy, as described here : https://petri.com/dynamic-access-control-dac-cross-forest-access-control/
I've tested it and it works, however from my testing it seems that it only works in the "same direction" as the forest trust; which absolutely makes sense.
So let's say we have a typical red forest+prod forest with a one-way trust.
"red\admin_t0" user is a member of "T0-Silo" in Red forest, and "T0-Policy" is a policy in Prod forest protecting computer prod\srv_t0 with rule Computer-AllowedToAuthenticateTo = Silo "T0-Silo" . In that scenario, red\admin_t0 can authenticate to prod\srv_t0 because Prod forest trusts Red forest.
However if we have prod\srv_t0 member of "T0-Silo" in prod forest and "T0-Policy" in Red forest protecting user red\admin_t0 with rule User-AllowedToAuthenticateFrom = Silo "T0-Silo" authentication fails because Red forest does not trust Prod forest.
With a 2ways trust, claims are "trusted" both ways and so both scenarios work.
