If you're not Cloudflare averse...

Setup immich VM or docker container with a cloudflare tunnel

Front access with Cloudflare Access (ZeroTrust) for free.

Set "can only be accessed by users with email = xyz@myuser”

Done.

Now assuming this is the same user email as the one you shared photos with, there is a base level of security keeping the riffraff away.

Home IP is never exposed either, because it's proxied through the cf tunnel.