Oof, a lot of vitriol in this thread.

In the end, security is less about tooling and config, and more about understanding the risks and acting accordingly.

I expose jellyfin to the internet, but only to a specific public IP. That reduced my risk considerably.