GL router as Tailscale exit node and GL VPN policies

I noticed that Tailscale clients which are configured to use a GL router as the exit node get their web traffic routed through whatever VPN client is currently enabled on the GL router. However, this bypasses IP/domain-based exceptions set up on the GL side. Does anybody have an idea how Tailscale clients could be made to respect GL VPN policies?