Preventing access to other Tailscale Networks?

I have been actively trialing Tailscale for a few days to see if it would be a good fit for a specific project that I’m working on. I really like the product but there’s something that has me concerned about it being a good fit for our enterprise use.

Use case:
Extending remote access to an internal server (web application), to an external contractor as well as internal corporate employees. The internal server would be shared with the contractor with node sharing. The internal corporate employees would be invited to the corporate Tailnet as a member user and access the corporate Tailnet using the Tailscale client. In the corporate Tailnet, the default “allow all” ACL is disabled and ACL’s exist to support only the required traffic flows. All good up to this point!

Concern 1:
Once the Tailscale client is installed on a corporate employee computer system and their computer is authorized to connect to the corporate Tailnet, there does not seem to be a way to prevent the internal corporate employee from disconnecting from the corporate Tailnet and then connecting to a personal (or other) Tailnet. This could result in the corporate employee bypassing perimeter firewall if they have a node on the personal Tailnet acting as an exit node. Am I overthinking this or is this a real scenario? If real, is there any way to effectively manage this?

Concern 2:
If the corporate employee enables the “allow local network access” on the Tailscale client that’s installed on the corporate computer system, would that expose the corporate local area network to the Tailnet or do the Tailnet ACL rules (in this case ‘Deny All’) override and prevent the other Tailnet nodes from seeing the corporate network?

I also acknowledge that I may be overlooking the obvious and overthinking things in which case any direction that anyone can provide would be helpful.