> one node needs a public IP/port

A lot of people are behind CGNAT or behind a non-configurable router, which is an abomination.

> Secure your router

A typical router cannot be secured against physical access, unlike your servers which can have disk encryption.

> Your router is a SPOF regardless

Tailscale will keep your connection over a downstream switch, for example. It will not go through the router if it doesn't have to. If you use it for other usecases like kdeconnect synchronizing clipboard between phone and laptop, that will also stay up independent of your home router.