If you’ve got Tailscale it’ll support direct encrypted tunnels over the LAN: I actually do this with Samba for Time Machine backups on macOS.

(I used to use split DNS so that my LAN’s router’s DNS server returned the LAN IP, and Tailscale’s DNS server returned the Tailscale IP. But because I’m a privacy geek I decided to make it Tailscale-only.)