To alleviate your concerns, I have a public facing Jellyfin instance hosted on a subdomain for almost a year now. So far zero pwns or bot activity.