Best Practice is to forward events directly to Splunk Cloud. Intermediate forwarders can become a choke point, add a point of failure, add complexity, and are more to manage.
Can you think of a use case (or is it even possible) for splunk cloud to query a heavy forwarder that is onprem?
Forwards (universal or heavy) are never queried. It's possible to send REST requests to a forwarder, but it's a good practice to disable the management port on forwarders to reduce the attack surface.