This is a secure mesh network, but it appears to be for embedding into applications, not a "private VPN" like Tailscale, or do I misunderstand?

Embedding is an option, but tunnelers - https://netfoundry.io/docs/openziti/reference/tunnelers/ - and edge routers (which can front legacy services without modifying them) also exist.

The difference is architectural; Tailscale is a mesh VPN, whereas OpenZiti is an identity-first, zero trust overlay network. This makes OpenZiti service-centric and deny-by-default, not network-centric. Instead of “join a private network,” you get access only to explicitly authorised services — with no ambient reachability at all. Its also 100% open source. If you want a simple productised, SaaS experience, NetFoundry, the company behind OpenZiti provides that.