I disagree. You lose out on granular permissions and magicdns.
I run a tailscale instance per service, even if the services are colocated in the same VM. This lets me take advantage of tailscale serve, and I can also move services between VMs without changing access or dns.
I use a mixture of --advertise-subnet on a dedicated tailscale VM to act as an exit node for when I'm away and ephemeral sidecars for everything I run in containers, this gives me magic dns but doesn't work with everything. I.e. I couldn't get a transmission-torrent container to download reliably with this setup and I have no idea why.
I run a tailscale instance per service, even if the services are colocated in the same VM. This lets me take advantage of tailscale serve, and I can also move services between VMs without changing access or dns.