Securing / segmenting the network

Hi guys,
I was just wondering if and how you have secured your internal network at home when it comes to the Smarthome/IoT?

Have you put your Homey Pro, Vaccumcleaner, cameras, wifi sensors (not zigbee, matter ofc) on a separate IoT subnet/vlan and only allowing internet access and/or access to the Homey Pro hub?

Is it then possible to allow iphone, ipads on a separate subnet/vlan to reach the Homey Pro internally and not only via internet?