I agree we should we need to think about security first, it will be near impossible to fix this later if we get this wrong. Think of the Mirai botnet that reached a 1 Tbit/s attack a few years ago using hacked IoT devices.
The minimum I do at home is physically separate my IoT network from my “normal” network.
Steve Gibson explains one way to do this in his Security Now podcast, episode 545 or Google “three dumb routers”. I think you can do the same with the $50 EdgeRouter X from Ubiquiti.
Even if your gateway or one of the nodes gets hacked / is malicious they won’t get access to the rest of your network.
Also, most “make your own gateway” tutorials don’t mention a firewall but we could easily set a firewall on these Raspberry Pi gateways and only open the ports needed for the package forwarder, no? Anyone knows what the minimal open ports are for the forwarder to do his job?