1. if the device has a name -> always assume it is vulnerable
2. hope you disabled upnp, the device doesn't have NAT hole punching, and doesn't "require" internet access for some reason like... cloud backup of logs or update checks
3. configuring firewalls and routers is hard. but plugging devices into power is easy. people always go the easy route.
Separate WIFI/network for IoT devices.
Do not route to the internet in any way (skip buying anything that requires it).
Connect to windows (or other OS) PC only, non-routable.
Disable all connections from that network to the PC.
You wish. People are not going to go to their local PC (if they even have one) to use their smart lights. Likewise people are not going to change wireless networks everytime they need to change a smart item.
The best combo I have found is non-cloud smart devices and a solid firewall. I'm confident enough that my lightbulb isn't going to hack my Mac/Windows machine, and I can still control it when I'm at home with my phone. If I want outside control, then it's vpn time.
2. put all IoT devices behind firewall/NAT router and never allow any traffic from WAN to the IoT. (Allow only South->North traffic)
3. Never allow east-west traffic between IoT devices.