Agreed, one way to help mitigate this is to establish Layer 7 security controls, rather than implicitly trust the network. Tailscale shouldn't be the sole security control in any environment.
I pretty much agree. Tailscale makes this pretty easy: you get role-based default-deny port-granular ACLs, so it was easy for us to establish a regime where we're only exposing HTTP-type services, on specific machines rather than whole swathes of address space. We then require SSO logins on those services (which in turn enforce things like 2FA).
Just getting access to our Tailscale networks doesn't get you anything; having your account in a group with access to an application gets you the right to attempt an SSO login to it and nothing else.
Just getting access to our Tailscale networks doesn't get you anything; having your account in a group with access to an application gets you the right to attempt an SSO login to it and nothing else.