did same deployment again and it seem configuration works correctly. Only difference from Knot Resolver 5 is that now forwarded queries are cached - which is a good thing. So my previous config must contain some mistake.
I'm glad to hear that. I think that caching should work well now for these cases - that even when an NSEC* record from non-forwarded DNS would cover your query, it shouldn't be used. At least unless I misremembered or some bug sneaked in. For example, querying coop1 as query would add NSEC for coop->corsica, proving that no .corp exists and subsequently using that to immediately NXDOMAIN.
--Vladimir