Rather what the hell happened to the guy that had tape on his laptop camera and microphone. Suddenly he's got an always on listening device. How does one go from one to the other?
Securing a local network is orders of magnitude easier than a laptop which accesses the internet constantly.
Stick the cameras on a vlan only accessable to the (local) servers doing the face recognition, stick the servers on a vlan that has no direct connection to the internet.
Compare this to a laptop which is connected to the internet with multiple attack vectors (browser, email client, etc...)
Does he have some custom build network router that he trust? Putting tape over your camera means you know enough to not trust the laptop hardware neither the OS or browsers like you said.
But he says: "We use .. Sonos system with Spotify for music, a Samsung TV, a Nest cam for Max". So all of his appliances do get outside.
I did a double-take on Nest cam. So he's streaming videos from his house on the internet with a closed source hw and software.
I didn't read the part about Nest to be fair but with some basic network design you can easily segregate networks and reduce your attack surface massively, even if you're using internet connected devices (seperate vlans, use http proxies with ACLs, no inter device communication where not needed).
The difference between a switch and a laptop is that your switch isn't running browsers with 0days found regularly, no malicious JS payloads, no phishing emails.
To exploit a switch you generally need access to the management interface, something anyone who has any experience with networking does not put on the same network (virtual or physical) as laptops, iPads, televisions, or internet connected cameras.
I agree with what you are saying, however tape over the camera means you don't trust the OS or the hardware manufacturer with a console command like modprobe to actually do it's thing and disable the web camera.
Sounds like he knows where the data being recorded is always going and what's being done with it. Pretty different from the chance that a camera/mic on a laptop might be randomly sending data to some third party.
Stick the cameras on a vlan only accessable to the (local) servers doing the face recognition, stick the servers on a vlan that has no direct connection to the internet.
Compare this to a laptop which is connected to the internet with multiple attack vectors (browser, email client, etc...)