The house network had been one flat /24 for years, which is to say every smart plug, every lab VM and my laptop all sat in the same broadcast domain and trusted each other completely. That is fine right up until you add a cheap IoT thing that phones home constantly and you start wondering who else it could be talking to.
So: VLANs. One for trusted kit, one for the lab, one for IoT that gets internet and nothing else. The router side was the easy part, a handful of interfaces and firewall rules. The painful bit was that everything had grown up assuming a flat network. mDNS stopped crossing between segments, so the printer vanished and casting from the trusted VLAN to a TV on the IoT VLAN just sat there spinning. The fix was an mDNS reflector and a couple of very specific allow rules, not the blanket "let trusted reach IoT" I was tempted to write at 11pm.
The other trap was DHCP. Half the lab had static leases pinned to the old subnet, so they came up with addresses that no longer routed anywhere. I caught it because nothing in the lab could reach the gateway, which at least fails loudly.
It works now and I can finally answer "what can the doorbell talk to" with a rule rather than a shrug. Worth doing. Just don't do the IoT segment last, do it first, because that is the whole reason you started.