tailscale has a control plane which can add a removes machines to your mesh. they control this unless you run your own. its just simpler to run wireguard imo

Not true, or not entirely true The control plane can be self hosted (headscale), and they have a mitigation for mitm or attack surface in the control plane - tailscale lock. It's FOSS, on their clients, if their control plane is FULLY compromised, literally completely taken over, they can still not add new machines, nor access them, at best they can shut you out of derp (can't even prevent your already logged in machines to connect because holepunch)

Tailscale

Tailnet Lock white paper · Tailscale Docs

Learn details about Tailnet Lock.