Yeah, it seems to be the common consensus to just block everything going in and just make exceptions, where you really want to offer a service to the internet.
Makes total sense, thinking about it. I guess, all those years of just sitting behind a NAT makes one forget all these networking basics if you're not using them regularly.
Moving closed-source IoT devices into a special vlan, with some even more rigid rules (something like: only allow http/https traffic into the internal network) might be an additional level of security.