Right now none of the native clients support SSO. It is a frequently requested feature but, unfortunately, it doesn’t look like it will be implemented any time soon. As with many OSS projects it is probably a case of “you want it, you build it” - but nobody has actually stepped up.

For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice to secure it.

For full access including native clients, set up a VPN.

As a developer myself I’m not sure if I would trust any application to safely handle a configuration that has become invalid due to a breaking change, especially not an app that is still under active development! Better safe than sorry.

Immich has completely replaced Google Photos for me, love it!

My only bugbear is that it is updated very frequently (what a nice problem to have!) which in my case requires a manual once-over of my docker-compose file every time in case there are breaking changes.

Solution: don’t read that shitrag. It was always a waste of paper, now it is a waste of bandwidth as well.

For digital copies, they could bury this into the EULA and make it a requirement that you agree to it before you make your purchase (IIRC some storefronts do this already).

However for physical copies I suppose there could be a case made if the duration of support was not disclosed at the time of purchase (or it was not printed somewhere on the outside of the packaging).

I use both. Pi-hole running in a docker container on one of my home servers which my gateway is configured to assign as the default DNS for all clients, and uBlock Origin on all my browsers to catch everything else.

Pihole is pretty good at catching ads on platforms that are not suited to browser based blockers (IoT devices, streaming boxes etc) but it isn’t perfect and is best used in conjunction with another solution.