

I think ACL is a paid feature with TS, but maybe im wrong. Once you get to the paid tier, you are just paying someone else to manage your VPN, which is fair enough but its not something you could’t also pay someone to do with wireguard (or openVPN for that matter). I think its fair to say “I pay for this service because i don’t want to have to deal with configuring it myself”, it might be easier to setup for some use cases, but if someone is already self-hosting things and has a DIY attitude to it, I don’t think tailscale can do anything wireguard can’t also do (it is based on WG afterall)
Maybe I’m not familiar enough with other kinds of setups to think of things though. My wireguard setup is basically a meshnet between several people’s home servers, each person has their own subnet only they can use, but the wider 10.X.X.X is shared by everyone, its certainly not the most secure because it doesnt need to be, but if i wanted to restrict one persons access to something i certainly could do that.
Why is it not mounted on the host/cointainer? I dont think you are using jellyfin “wrong” but its not like you cant just configure a mount point if you wanted to use jellyfin with it.
That is an interesting thing to point out though, im not actually sure but i think they used to support smb shares directly, i might just be thinking of kodi though.