I already have a THINGS VLAN and a SEWER VLAN for devices that scare me more ('leccy readers eg) than stuff I put on THINGS

Likewise. And I can disable the "things" access to the outside world with one click on the network firewall (hard to reach the internet when your default gateway is no longer responding..)

Although I don't have a sewer vlan. I found it easier to just never connect the things in the first place.

