I’ll start. Did you know you can run a headless version of JD2 on a raspberry pi? It’s not the greatest thing in the world, but sometimes its nice to throw a bunch of links in there and go to sleep.
All IMO of course but I think you’d only be on the hook legally for using Jellyfin if you sold access to your server. A private server would never hit the radar in a million years. The bad thing about exposing ports is you’re giving access to a service and therefore you’re relying on the Jellyfin authentication system to be secure. If there are flaws then, at best, someone could watch your content (and possibly delete it depending on your JF config) and at worst they could escalate privileges to get access to the hosting server and do whatever they want on your network. Like I said, I ran it on docker behind traefik (as the reverse proxy) and had no concerns doing so. I would much rather have the slight extra hassle of Jellyfin over Plex because I didn’t want the Plex middle-man sat between me and the person consuming the content. Jellyfin is a direct connection and there’s an app on Roku so it met all my needs.