I’m referring to ZERO DAYs. OpenSSH is a serious security product. Those web apps are written by random people and probably riddled with vulnerabilities not known to public.

Here is the rule. Only a trusted vpn and ssh key authentication can be public.

You are doing it wrong: SSH with key authentication is the most secure piece, and could even be public. Immich and Jellyfin surely have zero days and should be behind VPN

Off topic.

Jellyfin apps seem to me less user friendly than plex.

Plex iOS app moves back and forth in the video pretty fast. Why are there pictures of cups and tea etc instead of clear 10s back and forth? Common!

If you are not familiar with VPNs set up, then use Tailscale. If it can make direct connections, you are done.

Otherwise, run a Wireguard server on VPs