It has several unsecured endpoints.
https://github.com/jellyfin/jellyfin/issues/5415
If you read the comments the devs know it’s a serious issue but don’t want to break backwards compatibility fixing them. Their solution for now is to warn people of the risks of exposing their instance to the Web. Which I don’t think they’re doing a great job of.
Jellyfin is notoriously full of security holes. It’s recommended to not expose it to the Internet. It’s also easy easier on Plex, at least until this bullshit, to have a random non-techie family member sign in to your Plex server from anywhere. I never liked Plex and never got into it, but I see why people used to prefer it.
I think Emby is a good middle ground for people looking to jump ship from Plex. But I switched to jellyfin from my lifetime Emby sub because the plug-in community there feels dead and Emby development felt dead in the water.
Good news, you don’t need an app for audiobookshelf. If the iOS devs are trying to leach money from you, you can just use the web client to stream your books. The only downside is I don’t think you’ll be able to download files for offline use.