I'm torn on UPnP in general. If there's something malicious running on my network that could send a UPnP request to my router to open a port, then it could also open a persistent connection to some command-and-control server somewhere and achieve a similar result (and I'd possibly even be less likely to notice this). Sure, it's more taxing on a central server to have to maintain all these connections than to be able to make short-lived outgoing connections at will, but I don't think that's that much of a concern these days.

Having said that, I still disable UPnP on my routers if it's enabled by default... just feels safer that way. Even if the intended use of the port forward is legitimate, other non-legitimate folks on the public internet could presumably use that port forward as well to exploit a vulnerability in the software in my network that's on the other end of that port.

I'm also not sure how relevant UPnP is these days, with many people on the internet behind CGNAT, not even getting a publicly-addressable IPv4 at their home router. I suppose many of those people have routable IPv6 addresses, though, assuming UPnP port forwarding supports IPv6.