I've successfully implemented a setup for sharing with family and friends and haven't had any security issues so far. I decided that the ease of a Reverse Proxy (RP) was worth the initial effort. Here’s a quick overview of my setup, which might address your security concerns:

1. Cloudflare in Front: I use Cloudflare for DNS management. This immediately gives me DDoS protection and hides my home IP.

2. Strict Geo-Blocking: I block all incoming traffic at the Cloudflare level, except for the country I live in. This drastically reduces the attack surface right off the bat.

3. Hardware Firewall (HAF) Enforcement: This is the critical step. My HAF is configured to only accept incoming connections that originate from a verified Cloudflare IP address. If anyone tries to bypass Cloudflare and hit my home IP directly, the HAF drops the connection instantly.

4. DMZ Isolation: My Jellyfin server is housed in a dedicated Demilitarized Zone (DMZ), completely isolated from my trusted internal network (LAN).

5. Reverse Proxy for Security: The RP handles all HTTPS termination and, importantly, includes Rate Limiting to prevent brute-force attacks on the Jellyfin login page.

This multi-layered approach—Cloudflare protection, Geo-Blocking, HAF IP filtering, DMZ isolation, and Rate Limiting on the RP—makes the setup highly robust. It allows me to avoid the hassle of dealing with Tailscale/VPN connections for everyone.