you are right to be careful here. But it certainly is also not a “requirement to deploy jellyfin” either. It’s just a good practice to minimize attack surface, no matter what you expose. Unless it’s meant for the general public and advertised, then this makes little sense :-)

Also, most selfhosters have at best one IP to use. This helps with the one-IP-multiple-webservices problem anyway.

I put mine behind a reverse proxy, like any sane person would. Configure an original sni and you are basically invisible. (Tls1.3, doh/dot make it even better, depending on your threat model, but most likely overkill)