Tailscale connections don't get terminated by a middle box, it's just end-to-end encrypted Wireguard under the hood. Cloud-hosted control panel is a risk because they could push malicious configuration changes to your clients (ACLs and new nodes if you're not using the lock feature), but they can't do it without leaving a trace like Cloudflare can.

Tailscale cannot passively observe traffic.

They could inject malicious keys into your config but would be hard to mask the evidence of that.

Would it be hard? I thought the point of tailscale was not having to manage or concern yourself with key distribution.

Lookup the Tailnet Lock feature.

A feature in the client software they control, that you run as root, that auto-updates regularly?

You didn’t look it up, did you?

These are not the same thing, the parent is confused..