I actually believe this is an unwinnable scenario for clients. Just whenever the block app/db updates, automatically check if ads are blocked. If they are, have an engineer or AI iterate until it no longer is the case.

And the reason why blocking solutions can’t do the same is that there’s cery kittle money in it and not enough people working for free on it. Or that’s atleast my hypothesis…

“Only” 70%, though of course the point stands.

Recently nginx had an RCE, so if your web server interface has an RCE, it doesn’t matter if jellyfin code is top-notch, if you happen to use a proxy with RCE in front of it. Wireguard has never had an RCE and I’m relatively certain it never will, because I believe you must be in possession of some keys to go very deep in the wireguard code, which in itself is not very large piece of code.

But yes, in principle I agree that we should code securely instead of depending on VPN to solve it for us, unfortunately it’s not the reality today. Memory safe programming languages help, but don’t completely protect against logic errors. VPN is general is pretty good for defence-in-depth.