Great blog post, but unfortunately from my experience with my kinda tech-friendly family, i can tell you that not exposing service publicly is an absolute UX killer.
Nobody uses the local nextcloud because they just don't think they can rely on it, it doesn't always work from their perspective, and is too finicky to use, because it needs an external app (Tailscale).
This can be only fixed when the app itself can trigger a vpn connection, and I don't think this is going to happen any time soon.
Let me introduce you and many other people in this thread looking for a "let my app live in my VPN but still expose it family/friends without the need to install tailscale clients" solution to Tailscale Funnel: https://tailscale.com/kb/1223/funnel
An easy solve for this is to buy public domains for the sites you want to use, run a static website on them that says “turn on tailscale to access this site, set that up here (link to download a client preconfigured for my tailnet, invite only of course)”, then use tailscale DNS overrides to set up CNAMEs for that public DNS’s (sub)domains which point to the tailnet internal service domains.
I do have to sit down and walk folks through setting up Tailscale, Nextcloud, etc on their devices. So far though, I haven't had any complaints once that is done. Nextcloud just syncs in the background and they can navigate to sites like normal. But my family is probably more tech literate than most, so that helps
Nobody uses the local nextcloud because they just don't think they can rely on it, it doesn't always work from their perspective, and is too finicky to use, because it needs an external app (Tailscale).
This can be only fixed when the app itself can trigger a vpn connection, and I don't think this is going to happen any time soon.