A small router device put in between might help, say a repurposed (OpenWRT?) WiFi access point, or a small Microtik or similar devices. By having forcing all IoT devices on a second private WiFi network would allow to set rules so that for example they can be reached by devices on the home network but are prevented to connect anywhere else on the outside.