My big fear isn't malicious library access, but that the bad actors pushed a malicious update to Plex itself and that my server is now running malicious code doing God knows what on my network.
Don't let "media manager" apps have direct read-write access to files - they tend to spew metadata all over files, and if there's a bug in the software it can corrupt your data. Doubly-so for an internet-facing dependency dumpsterfire like Plex. It's also worth having at-least a DMZ with ingress/egress filtering for any internet-facing services such as Plex - only allow them to connect to what they need.
A filesystem which supports snapshots and rollbacks is good to have underlying your media collection as well (ZFS, BTRFS, etc)
A filesystem which supports snapshots and rollbacks is good to have underlying your media collection as well (ZFS, BTRFS, etc)