This, pretty much.

The ideal setup is having a separate vlan for your IoT things, that has no internet access. You then bridge specific hubs into it, so the hubs can control them and update their firmware.

If you have IoT devices that are unsafe but cannot be updated any other way, you can temporarily bridge the IoT VLAN to WAN.

Honestly, what IoT stuff needs is something similar to LVFS. Make it so all the hubs can grab updates from there, and can update any IoT device that supports Matter. It would also serve as a crapware filter because only brands that care about their products would upload the firmwares.