> "Bothering" with client-side password hashing, in the absence of TLS, is security theater.

Filtering out unsophisticated attackers I would not classify as "theater".

Read this, and let me know if the implications of port forwarding your server (or putting it on IP6) is readily apparent:

https://jellyfin.org/docs/general/post-install/networking/#s...

A lot of these users are not very sophisticated themselves. The least sophisticated attackers are likely to be the most numerous.

This is bad. People who say it's not bad (or worse, suggesting anyone dumb enough to publicly expose their server without TLS) are engaging in security snobbery.