Plex, as a company, definitely is aware of what items are in your library but streams don’t go through the Plex servers unless you use the Plex proxy service which is enabled by default but only used when the client connection speed is too slow to use the desired streaming setting.
Everyone who accesses their Plex externally should use app.plex.tv rather than NAT/port forwarding unless you’re also doing IP whitelisting on the NAT (not feasible for most remote access scenarios, as IPs are dynamic in most cases). Jellyfin should never be exposed externally.
I work in a highly regulated sector of IT and have learned that even the most robust software will have serious exploits at some point.