None. Dashy’s authentication was famously literally security theatre even with Keycloak. You could just pause the load in browser and have full access to the config. Because it let you iframe whatever you could now do so with local services to enum. Somehow Jellyfin is unbustable though. So it’s a bit of a crapshoot. Look at past vulnerabilities. Stuff like XSS unless stored you don’t need to worry about, clickjacking, tab nabbing etc. On the other hand anything that’s arbitrary file read, SQLI, RCE, LFI, RFI, SSRF etc. I would look at seriously. E.g. don’t make your 13ft public because it can be used to literally enumerate your entire private network.
You’ve got the coolest instance name I’ve seen btw! Not sure if it’s depression lofi band or a real thing but awesome either way