It used to be an open source project, then at some point the developers moved it to closed source. In reaction to this, a couple of people forked the last open source version of emby and launched it as an open source project (again) named jellyfin.
It is still open source and under active development, and has a significant userbase. Especially on Lemmy I think it’s much preferred by people to emby (or at least more vocally supported).
Would you accept a certificate issued by AWS (Amazon)? Or GCP (Google)? Or azure (Microsoft)? Do you visit websites behind cloudflare with CF issued certs? Because all 4 of those certificates are free. There is no identity validation for signing up for any of them really past having access to some payment form (and I don’t even think all of them do even that). And you could argue between those 4 companies it’s about 80-90% of the traffic on the internet these days.
Paid vs free is not a reliable comparison for trust. If anything, non-automated processes where a random engineer just gets the new cert and then hopefully remembers to delete it has a number of risk factors that doesn’t exist with LE (or other ACME supporting providers).