There are two categories of devices worth considering:
- Those controllable (only) through the manufacturer's server and requiring an Internet connection: put them on the guest network that only has a (NATed) route to the Internet and nothing else (ideally, of course, don't buy them);
- Those controllable over LAN and not requiring an Internet connection: put them on a jail network that has a route to the main network and is firewalled away from the Internet (and perhaps from initiating connections to the main network as well).
- Those controllable (only) through the manufacturer's server and requiring an Internet connection: put them on the guest network that only has a (NATed) route to the Internet and nothing else (ideally, of course, don't buy them);
- Those controllable over LAN and not requiring an Internet connection: put them on a jail network that has a route to the main network and is firewalled away from the Internet (and perhaps from initiating connections to the main network as well).