Your smart light bulb should not have access to your laptop. Sounds obvious, but on most home networks, every device can see every other device. VLANs fix that, and they are not as complicated as they sound.
What You Need
A router that supports VLANs (UniFi, TP-Link Omada, pfSense, OpenWrt) and a managed switch if you have wired devices. Most consumer mesh systems do not support proper VLANs – this is the main reason I recommend prosumer gear for serious smart homes.
My VLAN Setup
I run three VLANs: VLAN 1 (trusted devices – laptops, phones), VLAN 20 (IoT – smart plugs, sensors, cameras), and VLAN 30 (guest network). IoT devices can talk to the internet and to my Home Assistant server, but cannot see anything on VLAN 1. Simple firewall rules make this work.
The Gotcha
Many smart devices need mDNS or broadcast traffic to be discovered. If you put them on a separate VLAN without an mDNS reflector, your phone will not find them during setup. I run an mDNS reflector on my UniFi gateway that forwards discovery packets between VLANs. Problem solved.