[7952]

A VPN could create a false sense of security. After all the device is still untrusted, and will need to connect to the internet even just to do security updates.

We have good security measures for connecting to servers (which is what IoT devices are) so why reinvent the wheel? Why not require devices to have normal TLS certificates and map the internal IP address to a subdomain of the manufacturer. That way browsers can access the device using CORS, and the normal XSS protections will apply. Authenticate and authorise using a well known standard like OpenID, OAuth or JWT.