That sounds nice on paper, but will make common things like accessing Plex-servers from apps on the set-top box, Chromecasting and what not a royal pain in the ass.
I thought this would be the case, but I have most of my WiFi-enabled devices using WireGuard, and don't have a problem accessing my self-hosted services, nor with casting. This is the case even with phones using WireGuard. I can cast, use Jellyfin, and cast from Jellyfin just fine. edit: I should mention that I don't have an internet-only DMZ, just WireGuard for the LAN.
I can't get any casting to work when my phone is connected with WireGuard. I have exclude private IP's on for the one I'm connected to. It'll show for instance in the YouTube app but not actually be able to cast. Disabling VPN and retrying works immediately.
While I'm exited about wireguard - you might want to have a look at zerotier - it works perfectly as a mesh LAN. Must admit I haven't tried casting - the only thing I "cast" is youtube - which is just via regular LAN/internet.
It might have something to do with how you've implemented your VPN on the server-side. I had to play with iptables to get my devices to talk with one another seamlessly.
Possibly had to do something on the OpenWRT side, as well, but it's been a while since I initially configured my network to work with WireGuard.
How about 802.1x? It's still safe and I can do many fancy networking tricks (VLAN, etc) with it. But it's not compatible with a lot of "IOT" stuff including Chromecast.