And so, instead of having an open port for ssh, (ideally) with certificate-only authentication, optionally MFA, you trade it for an open port for tailscale/wireguard, handing over "all" your data to a company who is offering you a service for no monetary compensation.
Also, why do you think that it is better to not change the root password? It sounds like a very suspicious recommendation.
You're wrong.
You don't need to open any ports to use Tailscale, and its job is to a) get nodes to connect directly or b) shuttle jibber-jabber encrypted with nodes' private keys from point A to point B and back again through Tailscale-owned distributed servers. Tailscale only sees the traffic it needs and nothing else. It's free because it's "cost-effective" to run and because it can rely on word-of-mouth marketing because it solves a really complex problem in an elegant way, which makes enterprise customers want to pay for it.
Not changing the root password is correct, because at least on Ubuntu, it has been locked, meaning the only way to use it is through sudo or SSH keys (common during initial server setup). Setting a password for root and using su has no benefits over using sudo and comes with significant downsides, because it is unauditable.