gencha

Yes

S3 goes beyond the scope you describe. You disqualify yourself with such statements

I disagree. Local files access is always superior. If you disagree, your target solution is likely poor to begin with

S3 storage is simpler than local files? I think you need to elaborate

Chrome is the backdoor and you already installed it

I roll out Step CA to my workstation with an Ansible role. All other clients on the lab trust this CA and are allowed to request certificates for themselves through ACME, like LetsEncrypt.

All my services on all clients on the network are exposed through traefik, which also handles the ACME process.

When it comes to Jellyfin, this is entirely counter-productive. Your media server needs to be accessible to be useful. Jellyfin should be run with host networking to enable DLNA, which will never pass through TLS. Additionally, not all clients support custom CAs. Chromecast or the OS on a TV are prime candidates to break once you move your Jellyfin entirely behind a proxy with custom CA certificates. You can waste a lot of time on this and achieve very little. If you only use the web UI for Jellyfin, then you might not care, but I prefer to keep this service out of the fancy HTTPS setup.

He was on flights to Epstein's Island. Everyone should care

I prefer having a convenient pull mechanism that I can trigger from a workstation in the lab network. I maintain the setup with Ansible

Given the data points you made up, I feel it's safe to assume that this plateau will now be a 10 year stretch

The great thing about blanket terms like "AI" is that you can slap it on everything.