My use cases are:

• Connect from multiple devices on the same home network (with the application)
• Connect from a phone device on the internet (with the application)
• Connect from some PC’s and devices on the internet (with the application and from web browser)

For home networked devices, I don’t care about security that much. I try to lock it down on the router level and by using VLANs for less secure devices. I connect via IP directly (or .local domain).

Jellyfin runs under its own user with read access to a media library.

For devices on the internet, I have jellyfin exposed on a specific url path of my domain - through a reverse proxy all through 443. A bit of security through obscurity here. I’m proxied through cloudflare on the DNS side with very restrictive IP rules.
I think this is enough for the security flaws jellyfin does have. I’d sleep better at night if it had client certificate support, but Its not a big deal imo. If security flaws allowing remote code execution are found, I’ll shut it down and allow access through wireguard only and lose access from some devices on the internet where I cant use VPNs. Not a bit deal either.