Good pointer. OpenZiti does fit that model well — app-embedded rather than network-wide relay/VPN first (though OpenZiti also supports non-embedded options). The main difference is it’s not just connectivity in the app, but identity- and policy-driven service access, so you get authN/Z-before-connect, with explicit Zero Trust principles, rather than just a tunnel embedded in the client/server.
Glad it helped (I work on the project). Reading up on Iroh, OpenZiti approaches this less as ‘how do I reach that host across any path’ and more as ‘which identity is allowed to access which service across paths’,’ which feels like a better fit for app-specific access based on zero trust principles than a general network relay.
In particular I believe OpenZiti has a similar focus on embedding the tunnel in the apps.