Have separate networks for secure, normal (mobile devices, rokus, etc), and IoT devices.
Might consider a pfsense router/firewall with Unifi network and APs. A bit harder to manage but you get much more capability. (E.g., block IoT from calling home)
Listen to the homelab show podcast for their take on this.