Pilot is per-agent/process, not per-machine. On one host, you can run many independent agents, each with a permanent virtual address. Separate trust handshakes/revokes (one agent trusts peer X, another doesn’t). Scope is to give agents a "phonebook" (discovery + permanent addresses) + direct reachability for messages, data streams, pub/sub, HTTP/gRPC, or even tunneled legacy TCP via gateway. Tailscale wins if you want to create a private net, or expose stuff via Funnel.