FWIW it seems Jellyfin has some application-specific authentication/security bugs that complicate things a bit. Of course the same concepts should generally apply, but some considerations will be different depending on what application you’re exposing.
That said, VPN would be much more manageable if I was trying to really push performance or scale out the network.
I agree with the folks saying reverse proxy of some kind + WAF. That way end users don’t have to deal with the VPN, but your home system is not directly exposed.
I’ve been doing something similar with SSH local port forwarding and a $5/month VPS. Haven’t come anywhere close to my network quotas, and performance has not been an issue for home use with 2-5 concurrent users most of the time. I forward the local caddy ports to unprivileged ports/user on the VPS, then use the firewall on the VPS to forward that port to 443 and lock down the rest.
Oh no! “It could also further erode public trust in the tech.” Don’t threaten me with a good time.