Are you talking about TPM 2? Because I don't think that makes classic ransomware more difficult. Also it doesn't have to be strictly a motherboard feature, e.g mine comes without a fixed hardware TPM, but my processor supports fTPM, which has up- and downsides. But it works as a TPM.
Also MS: Sadly, if your tech doesn't have these features you cannot upgrade and it will be insecure because I will not make updates for it.
Technically, this isn't true, MS will continue to update Windows 10 and even individual users can receive these officially through the Windows 10 ESU program: https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates
Not that I'm in favor of what they're doing, I think they should rather support older hardware with Win 11 and require modern features only on modern systems. But from a security standpoint, their decision is actually good, as it builds a secure foundation. Most private users will just do whatever on that foundation (e.g. run random stuff from the Internet), but I think going forward, this is the right choice, though probably for the wrong reason of doing Intel a favor.
The way I do it with webservices is that I serve them all from virtual hosts. Scan my IP on port port 80? 301 moved permanently to same host port 443. 443? Welcome to nginx! Which webservice is actually served depends on the hostname being requested. The hostnames are just part of a wildcard subdomain with a matching wildcard certificate, so you can't derive the hosts from the blank landing page's cert. Though one option would be to disable https when no matching virtual host is found.
I know this isn't protection against sophisticated attackers, but nobody uses my home services except me when I'm not home so the exposure is very limited.
Anyhow, with Plex you have a central provider who, if I'm not mistaken, knows a lot about how their customers use their product. The angle of attack is different.