[samb1729]

Are you asking whether the owners and operators of the Tailscale control plane can theoretically add devices to your network without your authorisation? If so then yes, definitely.

Perhaps a terrible analogy, but to me the question reads like "can the bank just spend my savings?"

How might you expect a fresh node to join your existing Tailnet without Tailscale having a means to add a node?

[dvzk]

Requiring an administrator or other device to pre-authorize or manually approve a new device, by signing the new device key with a client signature key.

Why would you expect anything else? That’s like saying Wireguard or SSH servers should just accept any client. The purpose of mesh VPN controllers is to automate redundant key management, not to subvert the original security model.

[dx034]

Most code is open source, I guess they could include a feature (not enabled by default) that sends a warning whenever it sees a previously unseen device on the network. Would be noisy and useless for most, but prevent tailscale from adding a new device secretly.

But then again, I'm not sure there are many people who'd worry about that.