Tailscale SSH Security Issue?

Dear Tailscale support

I have read the announcement of Tailscale SSH with great interest, but I am a bit worried about something… the SSH information in the docs states that:

An SSH access rule can also specify autogroup:nonroot to allow any user that is not root . If no user is specified, Tailscale will use the local host’s user. That is, if I am logged in as alice locally, then SSH to another device, Tailscale SSH will try to log in as user alice . Like other SSH clients, Tailscale will only use user accounts that already exist on the host, not create new accounts.

What prevents our users (all admins on their local machines) to create an extra local user named ‘mycolleage’, and then SSH-ing into a server with their colleagues account? Wouldn’t it make more sense to use the first part of their tailscale account name (username@domain.com) in order to assume an identity? At least that would match the already verified corporate identity, and not the identity that the user configured himself locally?

I hope I missed something here :wink: Thanks in advance for your response!