A VLAN buys you time, not trust. Give a printer its own seprate segment and six months later you've got ad hoc firewall exceptions for scans, updates, vendor support, and some test VM nobody remmebered to remove. TLS is boring, and that's the point: it fails closed, while network policy drifts until the weird exception becomes the default.

tls is not boring at all, especially with devices that are always 10 years behind in terms of security, it's not like you can enforce any kind of reasonable ciphersuites even in modern printers

also 9/10 printing protocols are insecure anyway

scans - sure, mailserver needs to be allowed

vendor support - same mailserver

vm - at least a reason to kill it

also why would i ever allow auto updates, it's better not to without understanding what garbage manufacturer released this time