I think this is what you should look into. Are the services in Heimdall listed with the local IP or host names? Or are they referenced with the tailscale IP?
Three things I want to add here:
On tailscale I can only access my home lab’s root page with the services being accessible with something like domain.tld/service.
service.domain.tld is not supported by tailscale. (See github issue)
The local domain is different to the tailscale domain. If you want to use them with a reverse proxy (nginx, caddy) you need to have rules configured for your tailscale magic DNS domain too.
I have a question about the work profile: would it make sense to isolate the PlayStore too, as it‘s google? Because this is the main painpoint for me, as I cannot move to a custom rom with my phone currently