I was just in you exact Situation with my jellyfin homeserver. I was using Tailscale for a while, but ran into a problem: my new server is really bad at encoding so I can only use directplay, which uses more bandwith than the tailscale relay servers can give.

The problem with tailscale is, I basically only ever use the relay servers because my home is cgnat and most of the time when I want to stream outside of home I am on mobile data with cgnat or at college (restrictive firewall).

My solution which I implemented last weekend was to buy the cheapest vps I could get from my trusted provider and harden it and install nginx proxy manager and tailscale. With that I can make a direct (no relay server) connection to my homeserver and proxy jellyfin to a piblic domain.

I am still figuring out how to secure jellyfin, but I have also seen some comments that jellyfin is secure by default and therefore ok to have exposed.