You have to worry about attackers modifying the control plane regardless of whether it's under your control or Tailscale's. You do need to collect the logs of how the nodes allowed to connect are changing to your SIEM. Which should be already done, because they already shove the (extremely verbose) logs into the appropriate places (eventlog on windows, journalctl on linux)
Obviously you have to secure your control plane. The question is who is securing it. I would rather be segregated from other users so I'm not swept up in a breach in tailscale that can compromise every user at once. It's a big single point of failure.
