btw, any idea if Universal Group Caching can work across forest boundaries (forest trust) ? I’d bet that it can’t, but I am not able to find any documentation on the topic.

So are you saying that UGs take more place in the token than GGs ? The only explanation I can think of would be that when populating the token only the group’s RID of GG is used, while in the UG’s case the whole SID is placed in the PAC.