It's not limited to star topologies; You can use ProxyJump for any topology that includes fixed routes from a client to a host. Just add a separate host entry for each machine.

4 server example (this assumes your client can connect to only host C) with the following topology:

    C -> B -> A
     \-> D

ssh configuration snippet:

    Host A
      ProxyJump B

    Host B
      ProxyJump C

    Host D
      ProxyJump C

This example is a tree-like topolgy, but you can use host aliases (i.e. add a HostName that is different from the host entry) to define any fixed route to any machine you like.

For me, the main use of agent-forwarding is that I need to use a command that expects to use SSH to get between leaf nodes. For example git or rsync CLIs that need to manipulate the local filesystem and tunnel their own protocol over SSH to talk to another remote server.

At times, I've wished for something like uMatrix but for ssh-agent forwarding, so I could have policies for which peer-to-peer authentications should be allowed for which keys and whether these specific uses should require interactive confirmation.

I now have a design in my head for something like that using ssh certificates. Since I have zero use for such a thing I would probably build it wrongly though.

Just generate a new keypair there on your bounce box then. Don't do -A because this RCE means that not only do you lose your keys, but you lose your laptop, too!

What if you don’t trust the box enough to store a private key, though?

A box you can't trust to hold your keys could just as easily put a ssh -A command in your bashrc and use your agent to perform stuff on any servers your key is accepted on.

Not if your agent supports and is configured to confirm each use. See ssh-add -c.