Comment on Is they're an easy way to make my Jellyfin accessible outside of my home network
quick_snail@feddit.nl 3 days ago CAs and their subordinate certs have a long history of loosing control of their private keys to attackers.
And also many State-sponsored cyber mercenaries have been given certs in the root stores.
Onion Services fix this by using a single pinned cert.