I can't give any better technical over what is applied above but I can give my experiences which, in and of themselves, show why you should do it right.
I use OpenHab and buy a lot of tat from China via AliExpress, BangGood etc - anyone who will post to the UK :)
For the most part I try flash my own or other Open Source firmware on it. There is more of a chance of prying eyes then. I have near-full automation from heating to all lights, presence and motion detection, wifi location tracking etc. All these features require one or many little things which I obtained from China / Ebay / AliExpress etc.
My setup is a VLAN - both on wired and wifi - for IoT stuff. This is blocked to the internet other than specific devices which I allow out. Said devices are the OH controller, Alexa and, urm, nothing else :)
Inter-VLAN routing is managed by pfSense and only specific clients can route between the two.
I bought a cheap tablet as a wall-mount-dashboard from China. £50 for a 10.1 inch Android jobbie recently.
I was looking at the logs a few days ago trying to work something out and noticed a large amount of hits on my deny-all rule. The tablet is constantly trying to phone-home. There are bursts of traffic to an IP in China. The traffic is over https so I cannot - for now - see what it is. I will try using ssl-strip one of these days when I get some time.
A few of the LED controllers also call home constantly.
All in all, you need to separate everything off from your main network.
Use a propper controller such as OpenHAB, HomeAssisant, Domotix etc to controll the smart home. Do not rely on each item because you cannot truly own them
Try, where possible, to use items which you can flash your own firmware on. Often this adds a large feature set and is maintained.
Do think Security-First
Of course, none of the above is as bad as having a Samsung Android table - they're the worse culprits :(