I have all my so called smart devices on a separate LAN, together with dedicated access points to ensure complete separation from my home network.

So that is 5 CCTV+DVR, rules in place to stop them talking to the Chinese cloud servers. access either from home network or VPN.
About 10 assorted Sonoff+home made switches running Tasmota.

Pi4 running Openhab/Mosquitto with rules to allow backup to home NAS, Openhab app and Openhab cloud service to control above Tasmota devices

Pi3 running  FreePBX with rules to permit SIP phone connections from home and internet, SIP trunks from Internet.

Smart Thermostat with rule to allow connection to Tuya

7 google homes. Music, google, Openhab/Tuya google home integration

None of the above have any place on the home internet. Yes I can connect to them from the home internet, but they cannot initiate a connection. Pi's and cameras are wired, switches and googles via WiFi. Wifi only permits known MAC.

I have always deployed multi tier architectures from when I designed corporate hosting centres with a policy of minimal access between the internet, DMZ devices and the back end services. When I first installed my cameras and observed they were connecting to about 30 servers in China and knowing them to be running a cut down Linux. No way did I want unknown functionality so immediately nobbled them and treat all other devices with the same suspicion. 

Edit. Forgot to say I use PfSense as my firewall to manage the interconnect between Internet, "Smart" network, Home network, Work network.

Hub4/Gig1-> pfSense->Microtik CRS312/CSS326/CRS305->Meshed Asus RT-AX89X