Yea its pretty bad, there are pages of non-fixed confirmed exploits, you really shouldnt let it face the net.

VPN is one solution, and actually the only real solution for app-based jellyfin (TV, phone apps) I found so far.

Another is to host Jellyfin behind reverse proxy, and have a completely independent authgatein front of it (authentik, authelia). Jellyfin even supports LDAP (trough plugin), so you dont have to login twice per visit. The downside is only web interface can be hidden this way, as apps will break expecting jellyfin auth page and finding something else.