Use multiple VLANs and SSIDs, and only punch holes or route between them (and to the WAN) if/when absolutely necessary.

It does make it harder to use these things. Some things may even become impossible to use effectively.

The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.

But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.

So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.