Eyyy yes! I just picked up an MZ-N505 a few months ago! It's been great at work to quickly start music without staring at my phone for 5 minutes first.
Plex, as a company, definitely is aware of what items are in your library but streams don't go through the Plex servers unless you use the Plex proxy service which is enabled by default but only used when the client connection speed is too slow to use the desired streaming setting.
Everyone who accesses their Plex externally should use app.plex.tv rather than NAT/port forwarding unless you're also doing IP whitelisting on the NAT (not feasible for most remote access scenarios, as IPs are dynamic in most cases). Jellyfin should never be exposed externally.
I work in a highly regulated sector of IT and have learned that even the most robust software will have serious exploits at some point.
I always wonder why some people are so dedicated to Jellyfin. Even if JF had full feature and experience parity, it would still not have secure remote access the way Plex does. There is no need to port forward or NAT Plex for external access if you use app.plex.tv to access. With the threat landscape the way it is today, that is worth a lot.
I was interested in Apple's approach where they would look at checksums of the images to see if they matched checksums of known CSAM. Its trivial to defeat by changing even a single pixel, but it's the only acceptable way to implement this scanning. Any other method is an overreach and a huge invasion of privacy.
You don't think it's possible that the accusations were mostly unfounded and the LTT crew are just decent people? They did bring up some issues with onboarding which are completely expected on smaller companies.
At my work we pay auditors to assess our security controls and I would chose a different company if I thought they were being anything less than honest with us on their findings. The agreements and SOW are set up at the beginning of the engagement, so the investigators get paid regardless of their findings. It's not like the bond rating agencies on Wall Street.
It must work like the music streaming model where Apple kicks back a fee to the devs based on monthly installs or usage to the dev. It probably works better than Microsoft's model of buying a developer, not committing resources to run them, then closing the studio.
The subscription model is, in my opinion, dumb. If they need it to work, maybe they should buy games instead of studios. I can't work out exactly how long term patching would work though, unless they kicked back a maintenance fee from sales and gamepass usage to the studio.
When I worked at an internet provider, Netflix sent us a cache (I'm sure they have several at that ISP now). I can't imagine it cost them more than a few thousand dollars, as it was just a bare bones box full of hard drives. We gave them free power, internet, and rack space in our data center. Every night during the slow period it would fill up with whatever they thought would stream the next day.
There was nothing to do with neighborhoods, the cache served customers all over Maine and they didn't pay us anything. Netflix's costs are more likely content and licensing.