Does jellyfin have known vulnerabilities for bots to exploit? It's been up for several years with, afaik, no problems.
System has usual steps taken to harden it, JF is behind an apache proxy, letsencrypt handles ssl certs, fail2ban is running, and users are required to have strong passwords with no option to reset or self-register.