I doubt the mantra of "don't roll your own Auth/crypto" - especially if it lives on a server where the code can't be inspected.
Sure, there will be more bugs in my code, but the attackers will be putting far more scrutiny into a widely used library.
Some deliberately hilariously weak auth I built decades ago is only just now starting to get broken into by AI bots, whereas any vulnerable wordpress was broken into within days.
Thinking of use cases where services I build have reasonably low internal userbase. Maybe rolling out own is not worst choice always. After all it leads to manual or at least targeted work by attackers. Instead of very common spraying stuff randomly. So risks might in the end be lower.