(no title)

It's possible to get unauthenticated streams if you know the media paths. Media collections, at least in my experience, usually adhere to a few common organization schemes. This would allow someone with a list of common titles, which are available in various public databases, to leak data by brute force from a public facing Jellyfin instance quite efficiently.

Discounting this as merely "suboptimal behavior" sounds like a mistake.