@watery: My Tomcat is reachable through the Internet, even though currently only after previous user authentication (behind an authenticating Apache 2 reverse proxy) - but I’d still prefer to run a supported version.
Also for Intranets I often read that most break-ins originate from within the network already - by e.g. getting a user to run malware with the restricted user account, and then trying to identify targets for access and privilege escalation within the network. So that’s something to keep in mind.
@tmortagne: I now added the Debian 11 repositories in addition to the Debian 12 repositories. This will provide Tomcat 9 security and maintenance upgrades while it’s still supported in Debian 11. (Not sure if Tomcat will be covered by their extended LTS support, need to check.)
I currently don’t know how long Tomcat 9 will be supported upstream in general, though. I could not easily find an official statement on that at the Tomcat page or by googling.
Regarding Jetty, the Xwiki documentation seems to recommend against deploying it in production scenarios?