It is possible to have multiple tagged/untagged vlans (with different network ranges) inside the HA container. If you have several network ports/interfaces available on the host you could assign them to the HA assistant guest container/jail and configure each to its vlan (switch with vlan support is required of course).
If you only have one network interface/card/port available inside the HA container, first you will have to create virtual interfaces and tagged vlans inside this HA guest/container (I did it inside an RP3 with Hassio that only has one physical network port (VLANs with hassio)), second you set up the switch to support these vlans and separate traffic accordingly (vlans and lan) and third configure all IoT device to connect to this new vlan in the same ip range as the HA tagged vlan interface.
In order to achieve this, given the fact that most IoT device communicate through wireless, I had to create a dedicated SSID (which was then bridged to a physical port on the AP, set to the appropriate vlan and connected via cable to the switch) and configure the switch accordingly (only HA and IoT devices should share this vlan network range).
If you really are security paranoid you could make different SSID’s and vlans per groups of IoT devices (lamps, climate, etc…) so that they don’t see each other, but can use HA as a bridge/connection between them. You can then even set up firewall rules in HA to filter what can reach it. Effectively, HA is listening to IoT devices in all its network interfaces at the same time.
If what you want is to have the HA container working as a lonely member on its own ip range (as a typical DMZ server would), different than the one any IoT device belongs to, you might have lots of problems (like I did) crossing subnets, because of broadcasting issues.
It is not an easy solution (setting up multiple tagged vlans inside the HA container), but allows for a much better segmentation of traffic and so enhances security in my opinion.