Wanted to add some information to what was provided here from some of my findings:
>> It works - my zone config (host-inbound-traffic) allows it from the zone I tried from (as expected).
Not only do you have to have the host-inbound-traffic but also a policy to allow the traffic.
Example:
Need policy from zone1 (incoming ssh) -> zone2 (where lo0 resides) as well as a policy from zone2 -> junos-host
**remember also need appropriate host-inbound-traffic on zone2; not needed on zone1 (see below)**
>> > This means I now i have write a policy to deny SSH from zones 1,2,4,5,6,7,8,9,10 to the junos-host zone. Now picture you have 500 zones.
>> I think that there is no need to write multiple deny policies here - just do not include ssh in host-inbound-traffic configuration for zones 1,2,4,5,6,7,8,9,10 and it will be dropped.
Incorrect as in these scenarios the ssh traffic is transitting the zones not going to these zones. But still easily remedied with the appropriate policy rules either from 'zone1 to zone2' or from 'zone2 to junos-host'
I also tested this within logical-systems incase anyone was wondering about that scenario