Just today I installed Tailscale on a VPS and was wondering why it could discover all machines on my tailnet. Even though I specifically didn’t give it any grants or ACL rules.
Turns out, new machines have permissions of the authorizing user when first authorized.
These devices were added by me so they assume my identity.
In other words, tailscale on a machine without tags can do everything user can do. Limited only by the capabilities of the Tailscale client software. Luckily, it doesn’t include being able to edit the ACL.
After I applied a tag, tailscale status returned only those machines that can connect to this node.