This still means the outside world can interact with the XMPP server, correct?
If so then this is my concern - an XMPP server seems like a huge attack surface for the tiny bit of functionality Jitsi needs (I'm confident it's using less than 10% of the actual capabilities of the XMPP server, which means the rest of the code paths are mostly untested in this scenario and are ripe for abuse and potential exploits).
In your case, is this an internal server or is it open to the Internet?
It is authenticated, i.e. only logged in users have access. Prosody is well tested XMPP implementation and is used in many production application. meet.jit.si is unauthenticated deployment and many people use it.
I wouldn't call it a tiny bit of functionality, MUC and SFU are the two main components of any video conferencing solution. XMPP helps provide MUC capability, Jicofo is the component you can see the implementation here https://github.com/jitsi/jicofo
BOSH does not allow all operations available via XMPP standard, there are restrictions possible, to maintain security.
This still means the outside world can interact with the XMPP server, correct?
If so then this is my concern - an XMPP server seems like a huge attack surface for the tiny bit of functionality Jitsi needs (I'm confident it's using less than 10% of the actual capabilities of the XMPP server, which means the rest of the code paths are mostly untested in this scenario and are ripe for abuse and potential exploits).
In your case, is this an internal server or is it open to the Internet?