Probably. It is FOSS so it seems unlikely that it would include malware since that would be a massive fiasco if any malware were found. But of course the only way to know for sure is to review the code yourself.

For what it’s worth, the promise right in the source is:

Jellyfin Wrapped is an entirely client-side application. Your data stays private and is never sent to any external service.

I tried it. I first opened my browser developer tools and watched network activity and, after downloading the app from https://jellyfin-wrapped.jpc.io/ , only saw traffic to my own Jellyfin server.