Its not as egregious as you think. ‘Everyone’ group means every Synology user account - not that everyone on the network that can talk to the NAS, they’d still need both a Synology account and Shared folder permissions. Any Synology user trying to access those files would still have to have read and write access to the Share to actually access it (eg via file explorer SMB/CIFs or app-level access to Synology File Manager, or they would need to be granted SSH access to get in via terminal, etc) in order to R/w/m the files.

I know it’s a bit confusing, but it’s correct. Docker often causes confusion with file permissions. There are file-level permissions (this article) and there are share-level permissions. You need both to access folders and files via mapped drives / SMB, this setting is just to ensure that Docker containers which can be running as a variety of user names (depending on how you config docker and the container) don’t experience issues accessing files you’re expecting them to be able to access, as Synology says, the default Docker folder permission is for the ‘everyone’ group to have Read-only access. This should allow most Docker containers configs to at least run and then if you run into issues writing/modifying files… That’s a clue you have missed some file permission configuration settings that need to be done, and the only reason it’s running at all is because that default ‘everyone’ permission is saving your butt.

I use very popular router by Gl.Inet called Flint 2 (GL-MT6000). Goes on special for about $125 USD. Great specs, solid device.

Fully supported by OpenWRT, and I recommend flashing to that so that you have completely FOSS software with no possibly hijinks from the manufacturer’s OEM OS.

You’ll need to read some guides or watch some vids to get you set up on OpenWRT, bit of a learning curve, but it has everything you could possibly need. Check it out.

I think I’ll just keep using tailscale until they start enshittifying, and then set up a Headscale instance on a VPS - no need to take this step ahead of time, right?

I mean, all the people saying they can avoid any issues by doing the above - what’s to stop Tailscale dropping support for Headscale in future if they’re serious about enshitification? Their Linux & Android clients are open source, but not IOS or Windows so they could easily block access for them.

My point being - I’ll worry when there is something substantial to worry about, til then they can know I’m using like 3 devices and a github account to authenticate. MagicDNS and the reliability of the clients is just too good for me to switch over mild funding concerns.