I can remember someone mentioned an old model (supposedly possible to find on eBay) which could be hacked to run a vendor-imitating server on itself and connect to it via localhost.
A few of the Xaiomi's and Viomi's are rootable. I have a Gen1 Xaiomi and it's brilliant. I got ssh access to the ubuntu install and installed https://github.com/Hypfer/Valetudo and run it 100% local via my home-assistant install.
One of the first steps when rooting is usually to block outgoing and incoming in iptables (it's a fairly standard ubuntu install after all) so you don't lose root at any point, so the risk is minimal. Not to mention I have a dedicated non internet routable IOT network specifically for this reason.
dgiese is a proficient vacuum security researcher and has most of that stuff available here: https://github.com/dgiese/dustcloud