The problem is that some of the block lists are just too eager on the blocking.

I don’t see how the author can claim that NextDNS or AdGuard are any better in that regard though, as they rely on the same lists. 🤦

I run it on my router which has the CG-NAT IP address.

Whilst you’re right that it could clash, it’s very unlikely (a 1 in 4194302 chance), I imagine Tailscale would detect the clash and change IPs though I could be wrong as it never happened to me (and probably never will - though in all fairness it will eventually happen to someone).

Been using Tailscale behind CG-NAT for years. It works wonderfully and very rarely needs to route through the DERP infrastructure - it’s almost always a P2P connection.