I work in security as well.

If you only have a single user that accesses via a single static IP then it isn’t much of an issue to manually maintain an IP whitelist.

Allowing access to multiple users across many different networks, means that you’re going to have to deal with their IP changing frequently often multiple times per day. You’d have to be available full-time to update your whitelist if done manually.

If you’re going to run software on those machines to check for their public IP and report it to you (or a script you run) in order to update your firewall’s whitelist then you could just as easily (or, I’d argue, more easily) run a Tailscale client on their machine and only give them access to Jellyfin via Tailscale’s ACL.

I just mean that you can’t simply put Jellyfin behind a reverse proxy and alter some port forwarding rules to protect against the argument injection vulnerability, since it executes the ffmpeg command as the Jellyfin’s service account so it would have access to any file that that account could access (which should be limited to the container, but some people run it bare metal still).

Using a VPN is just easier to deal with, to me, than trying to allow any access from Internet IPs. The firewall can simply block everything from the Internet that isn’t VPN traffic. This is especially true if you control all of the devices that will be connecting to your network.

All of my traffic, even LAN traffic, is on one VPN or another. Everything is done ‘locally’ on the VPNs regardless of where the device is located.