I don’t disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.

The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.

I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.

Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don’t want them on your network; using a proxy like nginx is the way.

Being new to this I would look into how to set these things up in docker using docker-compose.

If you wanted to go overboard, don’t even make the server accessible publicly. Distribute keys to a Wireguard network that is accessible publicly. Mandate your players obtain keys from you to play.

Veracrypt. Make a file on your disk.

Don’t want a storage file?

Make 2 partitions, put veracrypt portable exe on the first normal storage partition. (fat32 is likely ideal here) Second partition formatted with veracrypt.

You still don’t read.

You asked a simple question about “better” which is pretty subjective for whooping out the references along accusations of falsehood.

“virally open source”

Which answered the original question quite succinctly. I wish you would have read more carefully before…

I transcode to ramdisk.