How to isolate a device to only allow remote management?


I am fairly new to Tailscale but it has been working mostly great so far for me.

So I have this one remote physical location for which I want to be able to manange my network remotely.
It is my own network but because the location is remote (far far away) and I do not have the device under my physical control all the time, I am worried that the device could be stolen and easying the access to my main network on which I have multiple nodes of Tailscale all linked together.

Is there a way, through ACL, to basically block this remote device from accessing ANY of my other Tailscale nodes while allowing these other nodes to still access this one device at risk?

Is this feasible and how would you go about doing this?

Any pointer would be greatly appreciated