I have six different VLANs and four wifi SSIDs on my home network. There are firewall rules both in/outbound, as well as between IP subnets.
Keeping the IP security cameras and NVR on their own isolated subnet and broadcast domain is a no-brainer, both so that they never "phone home" and also because of the huge traffic they generate en-masse.
My WeatherFlow Hubs and WeeWX hardware has its own SSID and VLAN, since it uses UDP broadcasts and I don't want to miss any packets due to collisions/traffic on the segment.
I have a whole /24 VLAN for Docker containers, because my chosen Docker host randomly assigns IP addresses to containers instead of honoring DHCP.
I have a VLAN and SSID just for my wife's work-from-home computer. I trained at least three of that company's IT/networking staff, and let's just say that I wouldn't let one of their computers on my home network even if I had to. It has zero access to anything, except the Internet.
No guest wifi at my house. Oh yes, get off my lawn, kid!
Seriously though, I've been doing this stuff to earn a pay check for 35 years. The network gear that I have all has the enterprise features, so I figure why not use them?????