I have a Jellyfin instance on my local server which I forward to the public web via a cloudflare tunnel. I'm not sure how secure it is, and I keep getting random requests from all over the world. It's my first experience maintaining something on a public domain so I may be worrying about something obvious, but some advice would still be appreciated.
Obsfucation can help stimey scripts. I saw using a non-standard port mentioned.
You can also setup a reverse proxy to deliver a different, empty site to a different dns entry by default. Use either a completely separate (as opposed to multidomain) cert for each, or a wildcard cert.
Jellyfin also supports using a custom path, instead of delivering at the root. Your reverse proxy would need to be configured accordingly.