A hacker would isolate from the internet a cameras VLAN and run its own NVR software. At this point, the market has an abundance of good-enough options for cameras. The fight is in other areas, not the cameras as a device.
There are many different use cases and threat models, some of which do not permit random unmaintained Chinese-origin firmware to be present on local networks, VLAN network isolation claims not withstanding.
Open firmware for some camera SoCs (HiSilicon, Goke, Ingenic): https://openipc.org/
I'm with you in considering any software in the cameras as a threat, that's why you keep the cameras isolate from the internet. I've audited a few cheap chinese ones and they were indeed filled with vulnerabilities and unknown services running in high ports.
The idea that you can't effectively isolate them network wise is just a stretch.
> Switches were not designed as security devices. Their use as such simply evolved over time, and is ancillary to their main use as devices that improve network performance. If you use a switch for security reasons, you are relying on the correct configuration of the switch, including understanding not only the standards that the switch software is based upon, but also the correct implementation of those standards. The 802.1Q spec itself is 211 pages long, and is only one of a handful of standards that a compliant switch manufacturer must support. Any time that you need to segregate networks for serious security purposes, I recommend that you not use a switch.
You are not restricted to VLANs for isolation purposes. You can consider the entire PoE switch LAN as compromised. Then firewall the NVR, which would connect to that switch to pull the cameras streams. Any software in the cameras don't need to see WAN at all.
Open firmware for some camera SoCs (HiSilicon, Goke, Ingenic): https://openipc.org/