Since https://blog.cloudflare.com/updated-tos it is not completely clear if you disable Cloudflare's cache indeed. Still the terms are unclear enough that they could cut you out, and I'd feel uneasy exposing a Jellyfin instance publicly, but that's just me :)
This is very cool, but you should not use Cloudflare Tunnels to stream media. This is forbidden by their terms of service (or at the very least not the intended use of Tunnels and they may disable your service). Use Wireguard or Tailscale instead.
That's true. This specific attack was mitigated by hash pinning, but some actions like https://github.com/1Password/load-secrets-action default to using the latest version of an underlying dependency.