I could open a port to the internet, but it would be Tailscale’s responsibility to secure the software that listens to the port (subject to an up-to-date software, that is my responsibility).

It’s not a standard Wireguard port. With Wireguard included in Linux, I would not be worried.