What do you consider as "valid offsets"?
The normal behavior up to PC/AT is to wrap around. i.e. FFFF:0010 actually accesses 0:0.
On PC/AT and above you have the A20 gate to determine whether FFFF:0010 refers to either 0:0 or 10000:0.

I think 386 DOS extenders throw a fault in case of accessing bad pages, but I doubt that they do this for HMA accesses, as that one is usually governed by DOS.

I've only seen expand down segments used by os/2 1.x. It's possible that the max limit might be used to lazily allocate the stack but I'm not sure if anything does.

@retardware: I mean a 16-bit segment top-down segment descriptor loaded with a limit of FFFF to FFFFFh. That descriptor will load into the descriptor cache without any problem(e.g. MOV DS,AX), but when software tries to access ANY address(doesn't matter which one), it results in a #GP(0) fault because only accesses larger than FFFFh(or larger when set between 10000 and FFFFF) are valid and offsets larger than FFFFh are invalid due to it being a 16-bit segment descriptor(B-bit is cleared).

It might theoretically be used for stuff like trapping ANY access to any software kind of memory allocation, with the software in the kernel handling the real access of said segment(think in terms of, say, emulated video card memory?) for protected-mode software using a specific segment selector and descriptor instead of through Paging(a segmentation-based method of doing that, instead of Paging-based method).

Edit: @crazyc Thinking about it, doesn't windows use it to implement lazy stack allocation and remapping(or maybe one older version of Windows)? I remember having read that somewhere.