Most of these issues require a malicious user, right? I think none of them really are a problem for a friends-and-family instance (as long as they don't get their creds stolen obv). For a single-user usage, none of these really are issues, are they?
As long as you're not opening JF up to the internet none of these are a real issue, so you're fine with a single person/house/network with trusted users.
The middle of the list had a media disclosure without any auth via the image API.
That would mean running a publicly accessible instance would be ill advised if you can about the privacy of what you host. Plex on the other hand somewhat encourages publicly accessible instances, so you can listen/watch while not at home.
(The caveat being, certain plugins disclose media to Plex but arguably that's a first or second party not some rando on the internet scraping stuff)
