Yes - ZDE is sandboxed to the user, including the keys in the keychain. Quitting the GUI should not affect whether or not you stay connected to Ziti, though - there are two separate processes. Logging out the user will disconnect from Ziti.
I looked at the Sandbox entitlements to see if it looks straightforward to use a non-user directory for storing keys/identities, and all of the file-related entitlements require a logged-in user. These entitlements are required for the Apple app store. We’ve considered moving away from distributing via the app store but haven’t made that decision yet.
regarding ziti-edge-tunnel. @scareything, can you chime in here for viability on macOS?