Zerotier seems a bit too clever about auto-discovery/peering.

For comparison: WireGuard, by design, is a fairly simple protocol that requires some other software or out of band configuration to provide the peer pubkey list (among other things). As a result, there are multiple mesh configuration tools built on top of it, some of which support dynamic (auto-discovered) peers/tunnel establishment. This separation of concerns for the well-designed mesh configuration layers on top of WG make it a little safer than integrated options like ZeroTier in my opinion, because the peer config/establishment and tunneling protocol are separate, independently auditable pieces.

I am wary of mesh VPNs that don’t require you to statically enumerate peers, especially when I don’t fully understand the underlying authorization/trust scheme. I’m extra wary of those that don’t have a well staffed team to respond to threats, and that don’t exhibit the appropriate amount of humility when making security claims. (This is not directed at ZeroTier specifically.)

On an unrelated note, there is a really fun infosec podcast named Darknet Diaries, worth a listen.