Security Boundaries where do they stop and start

I was discussing  recently with my customer where security boundaries within the Active directory start and stop. This discussion came about as they were under the impression that the Domain was a security boundary. This can be a quite a confusing area because people assume that because each seperate domain has its own Domain Administrator that this somehow prevents other Domain Administrators  from potentially  doing some  malicious damage from another domain within the forest or from accessing data in their domain. Check out the following article, this clarifies the fact that it is in fact the Forest that is the security boundary not the Domain. As it states;

"In general, a security boundary is defined by the top-level container for which no administrator external to the container can take control away from administrators within the container. As shown in the following figure, no administrators from outside a forest can control access to information inside the forest unless first given permission to do so by the administrators within the forest"