For untrusted IoT devices I’ve found that sticking them on the IoT VLAN (so no device-to-device communication, and either no or extremely limited internet access; but I let my trusted clients punch through to IoT devices) has allowed me to retain all functionality whilst being confident they’re not up to anything I don’t want or expect.
This is my setup. I find this to be a reasonable balance for comfortable life. Except my printer, that gets no Internet so it cannot update to some crappy firmware that nags about supplies.
