For what it’s worth, I only ever had that be a problem once in the past year I’ve been using Immich. And I don’t update more than once a month. I think it is uncommon anymore for them to release updates for the app that are incompatible with various sever version iterations.

Call me careless, but I personally don’t think exposing services publicly is that big of a deal. I’ve been publicly exposing Home Assistant, Jellyfin, Immich, Joplin and a few others for at least 3 years now with no repercussions. Everyone’s risk tolerance is different, but I wouldn’t write off publicly available services. Precautions like a reverse proxy, Crowdsec, Fail2ban, and Authelia all lower the risk profile.

There’s nothing wrong with making a reverse proxy only for use inside your homelab. It’s one way to resolve internal DNS queries and give addresses to your services. It’s perhaps the best, because it’s the only way I know that doesn’t necessitate remembering port numbers.

E.g. You are hosting something at 192.168.1.20 on port 3310. Even if you set a local DNS record for pihole.itjust.donn to resolve to 192.168.1.20, you’ll still have to type pihole.itjust.donn:3310 to access it. The same isn’t true with a reverse proxy.