Am I the only one that has an issue with a VPN that I can't self host? Presumably if Tailscale get's PWN'd or subpoenaed then your network is breached no?
Tailscale's data plane is [1] mostly p2p except for some cases where it doesn't work and it goes through an encrypted relay.
So your data does not run through Tailscale servers.
There is an oss [2]coordination server that does let you totally self-host.
If the tailscale control-plane is pwnd, outside of compromised ACLs (access controls) and DNS routes, I don't think it affects anything critical on the data-plane like passwords (because SSO) or private-keys since tailscale machine keys and node keys never leave the device: https://tailscale.com/blog/tailscale-key-management/