Kind of a quick off the cuff question… but is it difficult to get a docker hosted jellyfin server accessible outside of lan safely?
I have tailscale and a VPN I can use for my own devices but would like to be able to access it safely without needing those.
Why not just run your own WireGuard instance? I have a pivpn vm for it and it works great. You could also just put jellyfin behind a TLS terminating reverse proxy.
Sounds like a pain to get non technical family members to use. If you're willing to break the non web app you could always put it behind an authenticating proxy (which is what I do for myself outside of VPN, setting up a VPN on a phone is obnoxious and I only look at metadata anyway on my phone)
Or headscale, works like a charm
CGNAT is a big reason.