It's theoretically the same idea at the node level instead of the application level except that the WireGuard curve25519 keys now cannot be verified since they are published by a 3rd party that you have zero control on. This 3rd party can simply connect to your machines anytime by injecting its public keys into your nodes and have complete access into your private network. That's the power of owing your own CA as opposed to letting others injecting peer public keys as if there is nothing to verify.
