It does make it harder to use these things. Some things may even become impossible to use effectively.
The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.
But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.
So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.
But yeah, it's hard to secure home networks. One step would be if expert users and ISP boxes would make a separate WiFi network/VLAN for IoT devices. Second, there should be more regulation and education about not connecting crap devices to your network and/or Western sellers (Amazon, Best Buy, etc.) should be liable if they continue selling a device once it is known that it is malicious.
Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.
Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.
Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.
They are.
But there's precedent: Manufacturers spent years shipping consumer routers that worked out-of-the-box with default wide-open networks with SSIDs like "NETGEAR" or "linksys," which was gloriously insecure.
Some folks were sure back then that this could never change, but it has changed. These days, such devices generally reasonably-secure by default.
It can presumably change for Matter and IoT, too.
(Except the rabbit hole is kind of interesting, because... The usual method of setting up a Matter device means scanning a QR code with a pocket supercomputer to begin the process of connecting the Matter device to whatever wifi network it is that the pocket supercomputer is currently using.
And this does work for getting a Matter device online, but it doesn't allow for easy separation of network roles.
So the routers will need to change, and the Matter setup process will also need to change. Shouldn't take more than another decade or two for both things to get accomplished, I suppose.)
It's a dedicated prosumer/commercial ap though.
It doesn't reach as far outside of my home as my older Ubiquiti AP seemed to reach though... I could get almost a block away before my phone would drop when driving. Now it cuts out in the driveway... and less than halfway into the back yard... single AP on middle of second floor ceiling. Had considered additional unit for back yard coverage.
Most wifi routers have a guest network mode, that does the first few good steps.
Devices on the guest network can't see or ping devices on your main home network.
But... if appropriately configured the home network should be able to see the devices on the guest network.
There's a few great guides out there that help plan out your home network for such undertakings.
Random vendors who promise unlimited free streaming, no less. Even if they're pirating the content, video streaming infrastructure still costs good money to run, so they're obviously making up for it by monetizing the boxes in some other way.
Also, just having a pihole configured for your dhcp dns helps a lot with some traffic, but it can interfere with some legit services (CBS was a really bad one in my experience).
That said, if you don't have the technical skills or desier to learn these things... as you said, don't buy anything that gives you "easy" or "cheap" access to pirate content. It is pretty crazy.
Most routers nowadays support "guest networks", which typically disable LAN access. That's probably all you need, no need for VLANs or anything exotic.
It’s a WiFi to WiFi bridge. You connect one over WiFi to get internet access and it creates a separate WiFI connection for your devices. You could use it to create a segregated network for untrusted devices.
It’s also a WiFi to Ethernet bridge FWIW. Just the opposite of most routers that only work as Ethernet to WiFi.
Not being glib, but by not buying "smart" devices whatsoever. Manual streaming boxes might actually stop being viable for Linux as different services crack down. But, if you cared about privacy or security you wouldn't roll the dice with this stuff. I don't mean that in a rude or self-righteous way. Rather, I think people don't really care about privacy or security very much. Giving up streaming sounds like a big sacrifice to a lot of people, but if you contrived some scenario (really just for the sake of the argument) where your streaming devices were giving your kids mercury poisoning, you'd have no trouble giving them up. (and giving them up would really be the least of your worries) You might complain that mercury poison is not even remotely similar in severity it privacy or security concerns, and you'd be correct. But, that's the point I'm making. If people really cared about these issues then abstaining would be an easy decision. People claim to care, but don't actually take any action, and so I think they don't actually care that much.