This is how my whole network is setup, ST, servers, laptops, tvs, etc.
Depending on your level of paranoia, use an AP that has multiple SSIDs mapped to separate VLANs. Then with a firewall or access lists, you can control what each VLAN has access to, then you need to break the devices into classes of connectivity:
Need just a constant "cloud" connection to work properly
Need no connection except for initial config/updates, need local connection
Need both a cloud connection and a local connection to work
If you have a class of devices that are truly cloud-based (i.e. they don’t use any local traffic, it all must go out to the internet and back) creating a SSID and VLAN that segregates traffic is a simple measure to make sure that any hostile activity it might be repurposed for is sheltered from high value targets like your backup server. Putting devices that need some sort of always-on connection in their own class keeps them sidelined if there is some sort of remote compromise of their command and control structure (the cloud.)
If you still need local access to some of those devices, say to give your phone just the ability to access port 80 on your TV or your light bulb (if that’s how the smart remote works) a stateful firewall rule can enforce that only your phone, to only that port on the TV, will be allowed. If your TV needs no internet access and only protected local access, this would fall into another category which would need it’s own SSID, and if you really want it to be able to talk to the internet but no other devices, and be all by itself, it would need it’s very own SSID and VLAN, which many can be created if needed.
One measure that could also go a long way if your network is subject to transient devices (i.e. relatives tablets or laptops dropping by from time to time) is putting just those on a different VLAN, since for example your smart light bulb, unless you purposefully open a port from the internet at large, is of no harm even without a password since you (hopefully) trust all the other devices on your network to not be under malicious control.
Several inexpensive Wifi/Router devices that can be loaded with OpenWRT or DDWRT can be configured this way. The challenge isn’t how to pull all this off, it’s how to keep it all working smoothly and not throwing up your hands admitting that it’s easier to just live under the spectre of network Armageddon in order to not have to unblock a port every time your phone TV app updates, and it says your TV firmware is now out of date. If you’re like most people, you just harden what you can: automatic or alerted updates on all devices that support it, smart firewall rules with anything like uPNP disabled, and carry on with your life.
After that slap firewalls on and good to go!
Then no problems at all. In fact I think it made my network even more optimized