If you can ensure that only your friends get there (VPN would be my choice here), you can probably exclude malicious intent.
Plex is highly oriented towards a naive networking model that assumes a typical NAT-based residential broadband network on both ends. It nearly freaks out if the server side doesn't resemble this, expecting there to be something called a "port forward" (wtf is this) and various assumptions about what qualifies as a "local network", and client endpoints include mobile devices and media streamers that may not even have VPN capabilities.
Those of us who operate Internet ASN's and have significant IP networking assets should theoretically find it easy to light up a Plex instance on live, routable IPv4 space, but instead find ourselves doing battle with weird and incorrect assumptions designed into Plex about how networks work, how to identify what a "local" network is, etc.
I set this as background in order to hopefully avoid offending you when I say that requiring a reliance on VPN for "security" is also problematic; I think the goal should be for Plex to be your own replacement for Netflix or whatever commercial streaming service you wish, serving up a media library that you yourself chose. With more than a dozen pricey commercial streaming services out there, you can be paying as much as you would for premium cable. This suggests that using Plex needs to be approximately as easy, on the client side, as using Netflix. I know that's what the Plex developers are shooting for.