Brother FTW and no reason not to firewall those devices
While I ran an HP I found curbside (the scanner feeder was shot, NBD) for a bit, what put me off was the nasty BLOB that required installing via undocumented procedures (documented ones didn't work) for me to get network printing and scanning to work. Yes, Linux comes with all you need to plug it in via USB and print, but network functions are a chore. Their ink shenanigans are only adding to my distaste for this company.
Eventually, I didn't bother buying replacement toner for it and I got my trusty ol' Brother MFC7440N back. That thing served me well for 13 years, but it wasn't worth my while to fix the feeding issues (tried cleaning out the usual suspects), so I just picked up another and the company paid for it. They work great with aftermarket toner, Linux BLOBs are in tens of kilobytes, so unlikely that they'll contain anything nasty and the install procedure is stupid-easy, even when you're setting it up for network printing/scanning. Just in case, I still made sure it has no WAN access. While Brother has been a good corporate player IME, who knows when they'll decide to hire some washed-out HP execs.