My home network seems to be growing by a few devices a year. A ubiquity camera, then a Lifx bulb, then another one, then a Broadlink WIFI to iR bridge. I don’t trust these kinds of devices. The ubiquity at least has a shell, so it’s possible to poke around, but I have no idea what the Lightbulbs or iR bridge is doing, unless I watch the traffic. But, there’s really no good reason for it to phone home, reporting “self diagnostics” or whatever.
So, If they can’t talk to the Internet, then they are pretty safe on your LAN. Open source routers based on LEDE/OPENWRT make it pretty easy to keep your IOT devices from being high-jacked.
If you want, you can allow your IOT devices to to talk to a specific cloud, but nothing else. I prefer to purchase devices that do not need to talk to the cloud, but some things require it – streaming services, obviously. So, you can still allow them to connect, but you can control that connectivity.
Under Firewall -> Traffic Rules, create a new rule for each device. The rule can be based on MAC address, which you can find easily in the DHCP table. Simply reject all LAN to WAN traffic for the device and it will no longer be able to phone home, or do other undesirable things.