I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)
Tailscale funneled
Jellyfin
Keycloak (adminless)
Private Tailscale
Keycloak admin
Postgres dB
I hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.
basic authentication. If you restrict deletion to admin users and use role (or group) based auth to restrict that jellyfin admin ability to people with strong passwords in keycloak, i think you are good. Still the only risk is people could delete your media if an adminusers gmail is hacked.
Will say it's not as secure as restricting access to vpn, you could be brute forced. Frankly it would be preferable to set up rate limiting, but that was a bridge too far for me