I remember you were worried about your ISP messing things up for you, hence the VPN. I would recommend creating a “Virtual Machine” that does all of your downloading to whatever hard drive you’re using. That VM can have proton installed. Then, on your regular computer (not within the VM), you can host Jellyfin with no VPN involved, making it accessible at 192.168.0.xx.

I think this hits your goals without needing to expose Jellyfin to the Internet. Plus it has minimal technical complexity. Your downloading traffic will be VPN protected, but Jellyfin will still be accessible to your local network.
edit: You can set up a password for Jellyfin, protecting it from your internal threats.

edit2: You can use letsencrypt to create a certificate that picky clients will accept. Buy a domain, any domain, and configure the “A record” to point to 192.168.0.xx (your Jellyfin IP). Then tell your client to go to whatever domain you get, like “luigiliterallydidnothingwrongplzfree.com”, then the client will have to use the internet to ask DNS what the IP address is, but after that, it will just use your local network.

edit3: Since you just have the raspberry PI, instead of using a Virtual Machine, you could have 2 separate SD cards. One only has the downloader and VPN installed, the other only has Jellyfin installed (no VPN). Then swap as needed.

Do you have more information on this, or a phrase to Google? The idea of zero traffic, zero petty crime sounds incredibly impressive