[GEBIRGE]

That's really the key point here: Trusting the people you share the server with.

Jellyfin is kind of binary in that regard. Once you're authenticated - no matter the privileges - you can reach a lot of places. I've written about this recently, if anyone's interested.

Like others have mentioned, you should probably only expose the server to a trusted group of users (ideally not directly on the Internet).

[jeroenhd]

Definitely. I know there are people who share Plex servers with tens or even hundreds of people, and for those types of use cases you'll definitely want to avoid Jellyfin, but that's not what Jellyfin is intended to be used for.

I don't think standard users can change important system settings, but I've always assumed that they can look at stuff like logged in users and the current state of the system.