>You can't restrict management to specific vlans

This bit me as well, FYI Zyxel switches seem to be among the few that do this properly, even on cheapest models. On the other hand their web interface cannot be used over SSH or other tunnels... The software side of network equipment is in a sad state, no wonder the hyperscalers moved to whitebox switches