What I want: The ability to say “Only X program runs through TS” Or “Everything but X runs through TS”.
Is that a thing I can do with only 1 NIC?
Normally it would be host based, not program based - i.e. ‘Only access this host through tailscale’.
It would depend on the program you’re wanting to do this with, but you’d probably be looking at finding a ‘trick’ to make it work, rather than it being an actual feature.
Possibly something with ACLs on ports and failing back to another route, or setting a proxy server on a tailscale host and telling just the program in question to use that.
More details would help someone give you a better clue.
@Spidge is right that most options are host based.
If it is a Linux based host I’d start exploring (googling) the following:
- Userspace networking mode (for containers) · Tailscale if you can get X program to interact with a SOCKS5 proxy… overly via direct support or covertly via sockify technique.
- network namespaces - either used directly or used via containers
e.g. for “Only X program runs through TS” - I see some possible options
- run X program in a container with Tailscale as a sidecar (like documented here Using Tailscale with Docker or elsewhere in this forum)
- if X program supports “Socksifing” (GitHub - emsal0/Socksify: A linux utility that allows one to run a process in such a way that all outgoing TCP connections go through a SOCKS5 proxy) configure it to use an Userspace networking mode (for containers) · Tailscale proxy instance.
- run X program and the Tailscale daemon in a separate network namespace together from the rest of the system. This one is tough to set up especially depending on the vintage of systemd (if you are using its services). There is Running local services in network namespaces with systemd as an option to explore. This can be done with one NIC but would end up needing more than one IP address associated. usually achieved with a bridge attached to the NIC and each network namespace (the default one and the new one) having virtual NICs attached.
- run X program and the Tailscale daemon in a VM - just a different level of separation from the base system than a network namespace only based one but ends up with the same effective separation of the networking stacks and NATing etc. A VM might wrap up the configuration of the separate network etc. nicer than building it yourself with network namespaces. Which to use would probably come down to the nature of X program, available resources, etc.
e.g. for “Everything but X runs through TS” its the reverse of some of the options above.
- run X program in a container with Tailscale as a sidecar (like documented here Using Tailscale with Docker or elsewhere in this forum) and the container has its own IP address on the one NIC (NAT), etc.
- run X program in a separate network namespace separated from the rest of the system - gets its own IP address, routing etc…
- run X program in a VM - just a different level of separation from the base system than a network namespace.
All of the above is from memory and reading over the years - so YMMV. 
I hope it inspires you to explore your use cases…