How is this different than streamlit? It’s just a python wrapper over a javascript webserver that abstracts most of it away from non devs right?

You’re allowing random people to access those services. Jellyfin almost definitely has a 0 day exploit so anyone who has access would potentially be able to use that on you. I would wager burning a 0 day on a random is probably not gonna be happening but also the odds of a random realizing they’ve been hacked is pretty low too so you never really know.