I'm not a pro at Docker, but I've spun up over 30 different services using Docker Compose so I'm more than a novice. I would say that Lemmy's documentation is the worst I've ever seen.
The website points you at that compose file which is (I think?) designed for Ansible. I think there's another example somewhere without all the jibbery joo, but I can't search for it right now.
I'm a dum-dum, can someone explain? Does "off balance sheet" just mean "we have these "assets" but we aren't going to tell you what they are because we don't have to"?
I think the docs recommend (and this is how I have it set up) leaving the go2rtc stream as you have it currently, and changing the stream path for the camera config to rtsp://127.0.0.1:8554/nursery
We have a cheap WiFi camera with PTZ hooked into Frigate. It has been really great, although I ended up buying another wifi AP because our 2.4Ghz is pretty crowded with IoT stuff.
Your router is what determines what has access to what. By default, things can access the internet on ports 80 (http) and 443 (https). Jellyfin has access to the internet to download metadata, art, etc. If you want to block this activity, I don't know the answer to that.
Your router is split between LAN and WAN. Local Area Network (your house) and Wide Area Network (the world). LAN to LAN doesn't have restrictions by default, which is why you can access Jellyfin on port 8096 while you're connected to your home network.
LAN<->WAN has restrictions in place via your firewall. Your router has a default firewall. Some routers allow you to change the firewall rules. Firewalls are very important. Port 8096 is not forwarded to the WAN by default, and you have to change a setting in your router to do that.