I don’t consider Jellyfin a fully secure and audited application to host, unsecured endpoints come to mind, that and the less exposed to the whole internet the better.

https://github.com/jellyfin/jellyfin/issues/13987

Things like these scare me:

https://blog.lastpass.com/posts/notice-of-recent-security-incident

https://www.androidpolice.com/lastpass-breach-plex-update/