How secure is it to leave RaspberryPi active with Tailscale

Hi!

am a completely new user to Tailscale as I tried to get Wireguard up and running on my PI via PiVPn which kind of worked with Port forwarding and DDNS for the ever changing ISP provided IP.

However it felt very unsafe to me to have a port open, which is when I came across Tailscale.

Have it on my Pi now with an option to use as Exit node to if I want. Primary use case is to reach my Adguard Home install and Nextcloud. Both seems to work from my mobile so that I have adblocking on the go and can access my cloud.

Since I don´t really am that deep into networking… Is it resonable safe to have my PI waiting for Tailscale device to connect to it or should it Tailscale -down when not needed to minimize attack suface?

Is there even any since no port has been opened on my router and there is also UFW running only allowing my Tailscale IPs onto Tailscale0 interface.

Would like to leave it always on as my PI is so I can also use it as exit node when travelling abroad or on dodgy Wifi but only if safe, which is where I am still a bit hazy to be honest.