The company Tailscale is a giant target and has a much higher risk in getting compromised than my VPN or even accessible services.
One must be careful about this mindset. A bunch of smart lightbulbs that are individually operated aren't a particularly appealing target either. However, in aggregate... If someone can write a script that abuses security flaws in them or their default configuration ... even though you're not part of a big centralized target, you are part of a class that can be targeted automatically at scale.
Self hosting only yields better security when you are willing to take steps to adequately secure your self hosted services and implement a disaster recovery strategy.