Yes. There are enough signed and exploitable Windows Boot loader which you can use to boot anything you want.

And for containers auto updates once every day.

Got apticron set up on my servers or similar solutions to get notified when updates are available. Then usually, from time of notification +1 or 2 days.

Luckily thanks to their licensing model they basically cannot. Immich has according to github as of now 1606 contributors. Changing the license so that there could even be a proprietary fork would require basically the ok by every contributor (that made a relevant code contribution)

Yep, there even was a standard that would have been sufficient, Do Not Track. https://en.m.wikipedia.org/wiki/Do_Not_Track

I host my mail with mailcow and it is almost set and forget. I only had a couple issues with some mail providers, but a small email exchange with the admins cleared that up.

Have a handful of users, that have not complained about anything not working or spam or whatever 🤷‍♂️

Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.

In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.

It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.

Another place? What else? You mean setting up you own server? That is in fact your responsibility.

Just because an app is old, does not mean that it is not usable or bad. Let’s look at games for example.