Hello there,
Yes it is possible to set up just one PAM trust from the user forest towards a new bastion forest but it has limited scope.
The forest can house additional management functions and applications, but each increase in scope will increase the attack surface of the forest and its resources. The objective is to limit the functions of the forest to keep the attack surface minimal.
The PAM approach with a bastion environment provided by MIM is intended to be used in a custom architecture for isolated environments where Internet access is not available, where this configuration is required by regulation, or in high impact isolated environments like offline research laboratories and disconnected operational technology or supervisory control and data acquisition environments.
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer--