Finally got it all working how I wanted it to!
After I granted full access to all 3 shares (Movies, Documentaries & Photos), I changed the mode for each one to Windows ACL's within each ones Dataset permissions.
Set the owner as myself and set the group as Users.
Allow Guest Access is unchecked and Inherit Permissions, ACL's etc are all unchecked too for all 3 datasets and shares.
Once this was done, I then used Windows Security to uncheck every single box for the Everyone group.
For the Users group (from within Windows), which all the other family members are a part of, I granted it read & execute access but denied write access. Did this for all 3 of my shares.
Next, I added another User to each of the 3 Windows shares called Media which is a member of it's own group. I granted this account full access as it's a dedicated account to only be used by my media streamer (WDTV).
Next, I created a dataset called SFTP with an owner called SFTP too which has full access to itself. No group is assigned to this dataset. This allows me to SFTP into my FreeNAS box from outside of my network and ONLY gain access to the SFTP folder and nothing else. This way, if my SFTP account and connection is compromised, the hacker won't be able to get to anything other than the SFTP dataset!
I then created my Plex jail and configured it's IP settings. Then followed the instructions from earlier in this thread about assigning it to the Plex account. This means the jail runs under the Plex account which has it's own permissions instead of running as a Guest which is insecure.
Took a long time to get my head around how things work but was worth it.
Hope my experience helps someone out.