Would it be hard? I thought the point of tailscale was not having to manage or concern yourself with key distribution.
Lookup the Tailnet Lock feature.
A feature in the client software they control, that you run as root, that auto-updates regularly?
You didn’t look it up, did you?
They could inject malicious keys into your config but would be hard to mask the evidence of that.