Everything at home used to live on one flat /24. Trusted laptops, a pile of chatty IoT gadgets, the guest phones, all sharing a broadcast domain and all able to talk to each other freely. Fine until you actually think about it, at which point a cheap smart plug having an open path to your file server starts to feel less relaxed and more reckless.
So I split it into VLANs: one for trusted kit, one for IoT, one for guests, each its own subnet with firewall rules between them. The plan was sound. The execution went sideways for the most predictable reason, which is that I moved the IoT devices onto their own VLAN, added a rule to block them reaching the trusted network, and then couldn't understand why half of them stopped working entirely.
The thing I'd forgotten is that IoT devices love mDNS, and mDNS doesn't cross VLANs. My phone on the trusted network couldn't discover anything on the IoT network because the discovery traffic is link-local multicast and the router doesn't forward it between subnets. The fix was an mDNS reflector on the gateway plus a carefully scoped allow rule so the trusted VLAN could reach the IoT VLAN's services, but not the reverse. Segmentation is easy to draw and fiddly to live with, because half the convenience of a flat network was things finding each other automatically, and that's exactly what you've just switched off.