My use-case was to allow bitbucket hosted instances to connect to private instances in my infrastructure to push code to as part of the build pipeline. They way they are running Docker at bitbucket, you can't run the normal zerotier processes (IIRC, it wasn't allowed to create a tun/tap device).
The zerotier public networks are networks that anyone can join given the network ID, without requiring an admin to authorize them.
I wrote a python-based "ztproxy" [1] which you can call from SSH as a ProxyCommand like: `ProxyCommand /usr/bin/python3 /path/to/ztproxy /tmp 1234567890abcdef 9994 10.3.2.1 22`. On top of that I had SSH public key authentication of both the remote host and the local user, so even if the network ID was exposed, it wouldn't have been wide open. I also had ZeroTier network level rules that only allowed the SSH traffic.