Ok Michael - you made me make a diagram just so I know we’re speaking the same language. Note this is probably not at all perfect and WAY oversimplified and if anyone from ST corrects us - use their explanation instead. This is how I understand the logical assembly of the ST Wifi:
Yes there’s a 2.5GHz network there too, and other APs but you can get the idea here.
The blue box is the actual device, the white boxes inside are how I understand them to be connected internally. It’s no different than if you had a WiFi Router and a ST V.3 hub sitting next to each other on a table, they just happen to be in the same box.
So to get to the Wifi network from the Zigbee Network (assuming it is possible and an attacker is successful, of course) one would have to traverse the zigbee network into the hub, own the ST hub (and your account), then compromise the WiFi network. Zigbee, Zwave, WiFi and Bluetooth (if Samsung enables it) are all segmented from each other at the ST Hub. Or alternatively, they have to own the ST cloud, then your hub and then out from there. (Which quite honestly, the cloud inward vector due to compromised creds is the more likely option.)
To protect mine I have physical security protecting my networks - cameras making sure nobody can sit outside my house and compromise Zigbee or ZWave, or WarDrive my WifI network. My gear is in a secured closet where possible, yes I have one in teh clear but good luck finding it. You already have to be in my house. I disabled old authentication protocols on my WiFi network. I only use ZWave or Zigbee HA endpoints for sensors and actuators (No TuYa WiFi switches here). I don’t bother hiding my SSID - someone who knows what they are doing can get it anyway.
To protect my perimeter - I’m religious about keeping my firmware up to date on the perimeter router. Check regularly, apply it immediately, and complain to the vendor if they mess up.
To protect the cloud, I only install SmartThings Apps I have reviewed and use multi factor auth (MFA) on not only my ST cloud - but anything I connect to it that supports MFA. (Such as Amazon) So if Mr. Badguy tries to come in that way, my phone starts to go nuts with auth attempts.
Does that help?