Without authentication; it’s possible to randomly generate UUIDs and use them to retrieve media from a jellyfin server. That’s about the only actually concerning issue on that list, and it’s incredibly minor IMO.

With authentication, users (ie, the people you have trusted to access your server) can potentially attack each other, by changing each others settings and viewing each other’s watch history/favorites/etc.

That’s it. These issues aren’t even worth talking about for 99.9% of jellyfin users.

Should they be fixed? Sure, eventually. But these issues aren’t cause to yell about how insecure jellyfin is in every single conversation, and to go trying to scare everyone off of hosting it publicly. Stop spreading FUD.

Can’t say I disagree.

In the case of plex, it’s not 100% selfhosted. There’s a dependence on plexs public infrastructure for user management/authentication. They also help bypass NAT by proxying connections through their servers so you don’t have to setup port forwarding and can even easily escape double NAT situations.

I can understand paying for that convenience, but cost keeps rising while previously free features continue to get locked behind paywalls.

Tbh, having users required to authenticate with plex.tv was enough for me to look elsewhere. The biggest reason to self host for me is to remove dependency on public services.