All home routers block all ports by default. How would they know which IP and port to forward traffic to if not for manual configuration? Also, "listening on all interfaces" doesn't matter on a home network, multi-homed devices don't make any sense in a home network unless you're purposely experimenting or playing with things like that yourself. Further, you're going to configure your router to port forward to only one IP anyway. Also, i think tailscale isn't doing much in these setups as well. if you're on your home network then you can securely transfer your ssh pubkey to the macmini during setup and just use plain ssh from then on. If you're extra parannoid don't forward 22 from the router and then your macmini is only accessible from your home network.

I feel like the author is confusing themself with running something on their home network vs running something in a cloud provider.

>All home routers block all ports by default. How would they know which IP and port to forward traffic to if not for manual configuration?

I might have to recommend brushing up on your IP/TCP

This is what routers do by default. IP is very different from IP. IP is what they use to know how to route, too long to fit in a post, but MAC to IPs form a local ARP table. Can be many nodes long. Ports are what identify a process in a machine, IP level routers don't care at all about the port (unless you are natting) in order to route, the port bytes are forwarded as is and only parsed by the destination (and constructed by the source)