it's a fair question. It's basically replacing gRPC. We previously had it going over WireGuard, but this created a lot of chicken and egg problems. You have to maintain the WG interface over the same channel where updates are being sent. We often had to send updates and hope that the interface would update correctly. If something goes wrong, there's no way to recover bc the wg config is off. In the new model, it's using certs generated by the server for encryption, and every machine gets its own pair of client certs, so is still be very secure.