The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin.

If you are talking about brute force attacks for your password, then use a good password… and something like fail2ban to block ips that are spamming you.

This point doesn’t exactly match, but: public services like google auth don’t require users use vpns. They have a lot more money to keep stuff secure, but you may see my point… auth isn’t too trivial of a feature to keep secure nowadays. They implement similar protections, something to block spammers and make users have good passwords (if you dont use a good password, you are still vulnerable on any service).