Don't forget to hit that like button and subscribe GitHub star! 
We aim to please!
From the OpenZiti perspective - this a "non-starter". You will always need to provide some kind of strong identity to the network before connecting. "Authorize before connect" is a core tennat of the zero trust model. You cannot access the network without an x509 certificate (the strong, cryptographically secure identity we use currently).
It's the latter, this: "Or is the meaning here that thereโs just no need for a client in addition to the tunneler?"
What that means is the developers have taken an OpenZiti and embedded it into their application. By doing that, they get the benefit of OpenZiti, without adding complexity to their user base. OpenZiti still uses an X509 certificate, but it's handled by the SDK, wrapped in the Ohka app. So the Ohka app with the OpenZiti SDK baked into it is able to access things without the need to install an agent, what we would call an "OpenZiti Tunneler".
From that doc:
Ohkaโs developers use OpenZiti SDKs to embed private networking into their custom-built apps in a few lines of code. For other use cases, they use the OpenZiti Tunnelers which are easy to use for desktop and mobile applications that consume data from datacentres or cloud environments.
We are very close to releasing "browZer", an agentless/installless, mechanism for boostrapping zero trust in your browzer, allowing you to access HTTP services in a seamless way. It will work very much like you're describing. So yes, it's very much in the works and should be landing soon. You can read about it on the introducing browzer blog article that went live recently:
https://openziti.io/introducing-openziti-browzer
[small edit around 'what' browzer is]