Lots of those issues have been blown out of proportion, and would never be a real concern for the “just a dude running a server in his closet for his friends” setups. Which, to be clear, is the vast majority of setups.

For instance, virtually all of the worst issues require that the attacker already has a valid login token. So unless they stole your buddy’s credentials, the only one to truly worry about would be your buddy directly. But yes, Jellyfin has some gaping holes, and letting it touch the WAN at all is always a risk. You’re giving attackers a new potential vector of attack that didn’t exist before, so that’s worth noting.