Most of these issues require a malicious user, right? I think none of them really are a problem for a friends-and-family instance (as long as they don't get their creds stolen obv). For a single-user usage, none of these really are issues, are they?
As long as you're not opening JF up to the internet none of these are a real issue, so you're fine with a single person/house/network with trusted users.
The middle of the list had a media disclosure without any auth via the image API.
That would mean running a publicly accessible instance would be ill advised if you can about the privacy of what you host. Plex on the other hand somewhat encourages publicly accessible instances, so you can listen/watch while not at home.
(The caveat being, certain plugins disclose media to Plex but arguably that's a first or second party not some rando on the internet scraping stuff)
I've been running it for the past year and besides the occasional odd bug with media discovery, it's run great for me and my family for all our movies and TV a shows.
The build steps were a nightmare. That's mostly the fault of Samsung, but it was still very off-putting. Unless I was doing something wrong. It took me a couple full nights after work to finally get it done and on the TV, trying to set up Samsung's developer tools on multiple different machines. I dread having to do it again.
Yeah it's been working perfectly for me ever since I set it up last fall (maybe it was winter, can't remember). At least half a year. I'd say it's worth the effort, but the process still sucks.
One of the things I remember making it real difficult was that the UI of Samsung's dev tools app assumes you have the default light theme in GTK (or whatever widget toolkit they're using), and since I had a different dark theme, I couldn't see any of the icons.
So then I switched to one of my devices that were running Ubuntu 20.04 with Gnome, where the app would not launch due to something about "pixbuf". Side note - I'd had that particular error so many times in Ubuntu with various apps that it's the sole reason I eventually learned Arch (and tiling window managers), and haven't looked back since.
I finally managed to get it to launch and work correctly on Xubuntu running on my girlfriend's very, very old laptop that takes about 8 minutes to boot to full speed. So save yourself the headache, and run the Samsung dev tools app on an unmolested Linux installation, with no special theming, that is not vanilla Ubuntu.
Oh, in that case, I'm sure Samsung has it available for Windows, and it will probably work even better than the Linux version does (considering there aren't dozens of Windows distributions, and dozens of window managers, and a half-dozen popular GUI toolkits to account for).
They have done a great job, but ultimately I believe a tool like Go or Rust would work much better and the XML metadata format while standard is not very good. Would be nice to see YAML or even JSON. Kodi is my go to for the most part, but I will have to say Jellyfin is definitely more polished. It downloaded the transparent logo for the movie I was watching and displayed it so nicely when I started a movie. I remember Plex offering music themes when you were browsing a collection.. I wonder if Jellyfin does something similar already.
1: https://github.com/jellyfin/jellyfin/issues/5415