Ente looks interesting and worth looking into, thanks for mentioning it.
In the context of having a phone stolen, it's possible to at least limit the damage and revoke accesses via the Tailscale control server. Then the files on device are still vulnerable, but not everything in Immich (or whatever other service is running).
Why would you need Tailscale for revoking an access token in an unrelated service? Just kick the device out of the sessions list in Immich, or change your password if that's stored directly on the device
In the context of having a phone stolen, it's possible to at least limit the damage and revoke accesses via the Tailscale control server. Then the files on device are still vulnerable, but not everything in Immich (or whatever other service is running).