Is there somewhere an example of such setup, with ACL ending up on two different TLS_FORWARD and one with no cache ?

I'm not aware.  Disabling cache should still work by this hack:
https://lists.nic.cz/hyperkitty/list/knot-resolver-users@lists.nic.cz/message/FB4NPR65WYYRYDS3ET5VHCW4U4TOE2CP/

But I suspect that our DNSSEC validator won't work well without caching, possibly pulling the same record multiple times during a single client's request, e.g. when encountering CNAME jumps across zones.