Why is there a separate machine private key and a node private key?

I’m reading Key management characteristics of the Tailscale Control Protocol · Tailscale and I understand that there are two separate keys generated on each machine. The node keypair is what’s used as the identity when talking to peers, so that part is obvious to me. Why is there a machine keypair that needs to be generated and shared with the control plane before the node keypair? Why not use the node keypair as the only identity to talk to both the control plane and peers?

My understanding is that the machine key is used to initiate a trusted connection over ECDH with our control server, and is unique to the machine.

A node key is unique to the logged in user so some machines may have multiple node keys depending on who is actively logged in. The public half is sent to our control plane and distributed to your other tailnet nodes to build the wireguard mesh.