I have my main VLAN, a guest VLAN, and one for any 'smart'/IoT devices that need to connect to cloud services. Each is firewalled from each other and each has its own separate WiFi SSID.
Not just because the IoT devices are prone to attack because they may not get many updates, but also because they often need 2.4 GHz or may only support WPA 2. So my main network can be WPA3 only and 5 GHz only but the other networks are more lenient.
I have multiple VLANs on my home LAN. It's just so much easier to provide no-Internet or isolated-from-all-other-non-guest-hosts service if you set that up via VLANs. I might be mistaken, but it's my pretty strong understanding that with everything on the same VLAN, you have to deal with hosts using MAC and/or IP address spoofing to evade your router firewall rules. [0]
[0] Because what else would you use to decide how to block or permit traffic if you can't distinguish by the interface that the traffic came in on?
It's starting to get a bit more common but in a roundabout way. Telus managed Wifi routers can provides isolated guest networks, which AFAIK uses VLAN's and firewall rules internally. It's not visible to the end user though.
Not just because the IoT devices are prone to attack because they may not get many updates, but also because they often need 2.4 GHz or may only support WPA 2. So my main network can be WPA3 only and 5 GHz only but the other networks are more lenient.