[jeroenhd]

Many of these don't seem too bad to be honest. A lot of these are information disclosures that require knowing very long tokens.

The LDAP addon listing credentials is bad. The rest seems like it shouldn't be a problem for normal (in-home streaming) usage; i.e. users reading each other's last login time shouldn't be a problem if you trust the people you share the server with.

[GEBIRGE]

That's really the key point here: Trusting the people you share the server with.

Jellyfin is kind of binary in that regard. Once you're authenticated - no matter the privileges - you can reach a lot of places. I've written about this recently, if anyone's interested.

Like others have mentioned, you should probably only expose the server to a trusted group of users (ideally not directly on the Internet).

[jeroenhd]

Definitely. I know there are people who share Plex servers with tens or even hundreds of people, and for those types of use cases you'll definitely want to avoid Jellyfin, but that's not what Jellyfin is intended to be used for.

I don't think standard users can change important system settings, but I've always assumed that they can look at stuff like logged in users and the current state of the system.