I've been using Jellyfin for about... five years, maybe? And it would never have occurred to me to put it on the open Web. I'd never bothered to check, but I'd just assumed it was a security catastrophe, like nearly all home-user-targeted itch-scratching software is.
So if I understand the last comment correctly...<p>It's possible to get unauthenticated streams if you know the media paths. Media collections, at least in my experience, usually adhere to a few common organization schemes. This would allow someone with a list of common titles, which are available in various public databases, to leak data by brute force from a public facing Jellyfin instance quite efficiently.<p>Discounting this as merely "suboptimal behavior" sounds like a mistake.