I’m not giving untrusted devices unfettered access to my lan and an airgapped network sounds more complicated tbh. VLANs aren’t really that bad with good networking gear.

I have HASS running on a dedicated VLAN, IoT junk on its own, separate VLAN without internet access, through a managed switch. OPNsense sits in between and does the routing. Didn't have to mess around with anything, just ran the "vm appliance" or whatever it's called for hass and I was off to the races. Wireguard on the firewall gives me access from outside the house.

Actually, both OPNsense and Hass are VMs on the same machine, with the latter's network not even connected to any physical port outside the box. I'm not even running Proxmox or anything fancy, just libvirt on Arch. The only "fancy" thing is a 2nd hand Mellanox NIC I got off eBay for 30 €, which presents virtualized interfaces to the VMs, but HASS doesn't actually use those.

There's also no need to manually screw around with any reverse proxy for TLS; HASS does it with the Let's Encrypt add-on. The only missing piece when I set this up a while ago was something to regularly renew the cert (the add-on would only get started at boot-up).