As you say, there are now a multitude of options all with different advantages and disadvantages. Tailscale seems to fall into the middle ground
The main thing to note is that with all of these tools, you do have to put some trust in the vendor. However, with things like Tailscale and possibly Cloudflare Zero Trust, that is somewhat mittigated by the use of open protocols and tools. Tailscale uses WireGuard for example which is a well respected modern VPN tool.
Note that the private key never, ever leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node when negotiating a WireGuard session. As a result, only that node can encrypt packets addressed from itself, or decrypt packets addressed to itself. It’s important to keep that in mind: Tailscale node connections are end-to-end encrypted (a concept called “zero trust networking”).
This is important to note. You MUST protect every private key. This is true for all certificate based security of course. If the key is ever compromised, your security disappears. Worse, you might not know for years. One of the major downsides of public key encryption.
However, we don’t handle user authentication ourselves. Instead, we always outsource authentication to an OAuth2, OIDC (OpenID Connect), or SAML provider. Popular ones include Gmail, GSuite, and Office365.
This is the other key point. The advantage of CloudFlare's Zero Trust tooling is that the free tier includes 50 users (though those users can offload their login to OAuth if you allow that). With Tailscale it seems you will also have to use a different OAuth provider?
(Both those are from How Tailscale works · Tailscale)
Interestingly they have a "Community on GitHub" plan which might be worth looking at.
Their docs seem easier to follow than CloudFlare's but I think that the CloudFlare service may be more comprehensive, especially on the free tier. In particular, the CF tooling offers a number of purely web-based access points - I couldn't spot that on a cursory look at the TS docs. That is particularly useful if needing access from a locked-down PC remotely - for example, if using a corporate/enterprise device or an internet-cafe/library device.
Either way, certainly a big step up in security and flexibility from something like NGROK.