Do we even know that Plex is better? It’s closed source and hasn’t been audited afaik

Yes… because you can take the raw request your browser makes… remove your auth cookie and replay the same request and it fails.

Closed source doesn’t mean that it can’t be tested for problems. Just means that you can’t go to the code to understand why it’s a problem. You can still see that the problem exists (or doesn’t in this case).

Edit: I haven’t tested every api endpoint myself… but for video files it doesn’t work. It’s not vulnerable to the same thing that JF is in that specific case.

It is if you have compared them together.

I haven’t recently thought and I am a lifetime Plex pass user (we will see what lifetime truly means sooner or later) and I have still been unaffected by most of the changes Plex has done (watch together is the 1st valuable feature that I have lost), so if you can’t expose Jellyfin then it is not better than Plex for me.