To add on to this, in some organizations it's easier to assess risk according to RMF and similar frameworks if the application ships with stunnel and is configured from within than it is for the application to require a system-level VPN like Wireguard.
That said, I think Wireguard is easier to analyze on the wire since it has a known binary signature from the first 4 bytes, while stunnel tunnel is indifferentiable from web browsing traffic. For a bad actor looking into exfil or C2, this means an stunnel is probably the sneakier and thus more reliable method of encryption on the wire compared to wireguard.
I only use it for shell access to machines in my home network, so I cannot remark on performance, but it is also by far the easiest to use VPN solution I've had contact with. Not that I'm an expert in this matter, but setting up Wireguard access was dead simple and it has never given me any trouble since.
I know stunnel serves different purpose, but still why would you need it for your service if you can be in the vpn and speak plaintext?