This is a related request: New app catalogue request: Caddy (reverse proxy)
You can do certificate automation, and HTTP/3 and TLS for the TrueNAS GUI, TrueNAS apps and your own custom apps while staying within the TrueNAS design by deploying a caddy-tailscale container that reverse proxies for your applications (including TrueNAS if you so wish) and for those apps that support it can pass authentication details in headers. I agree that it would be nicer if there was an option to deploy caddy-tailscale sidecar containers along with apps. A neat feature is that the services are only available via Tailscale, and you can turn off the GUI accessibility in the TrueNAS app. It is low-resource; 1 Caddy container serving 6 applications is using 75MB.
If you are happy with the caddy-tailscale container it is published by Tailscale directly. If you want extra caddy modules not included in Tailscale’s version, credit goes to @sfatula for posting this how-to on making a custom Caddy container with any additional modules you want: Electric Eel - How I am using Dockerfile, .env files, compose files
Tailscale for OIDC sounds nice! I will try! 
For file sharing, SMB and NFS don’t support OAuth, but plenty of apps do. The only trouble is my Tailscale userid is an Apple Private Relay address that I will never remember.