To make sure I understand: are the problems that Tunnelblick will only or secure the copy of itself on the boot drive and will only install a configuration onto the boot drive, and you want to secure and install to an arbitrary location which is not necessarily on the boot drive?
It will be difficult to change that because the boot drive paths are hard coded into Tunnelblick for security reasons. Adding the ability to specify target paths would add complexity.
Assuming that Munki can deal with macOS Installer packages, I think it makes more sense to create such a package for Tunnelblick, instead of running Tunnelblick's installer program.
It shouldn't be difficult to make such a package; you could install Tunnelblick and the configurations on a "clean" system, and then copy from various places on that system (/Applications/Tunnelblick.app, /Library/Application Support/Tunnelblick, ~/Library/Application Support/Tunnelblick, ~/Library/Preferences/net.tunnelblick.tunnelblick.plist come to mind but there may be others) into the Installer package, preserving ownership and permissions. That way you wouldn't have to do anything when Tunnelblick changes except recreate the Installer.