I’m a zigbee guy. Most of my stuff is zigbee BUT I couldn’t find a plain inline switch that would pass the WAF.
I did find these, but they are dimmers as well and I didn’t want a dimmer.
https://www.samotech.co.uk/products/zigbee-cord-in-line-rotary-dimmer/
As I use Zigbee2Mqtt, I ended up with the Shelly 1’s and Shelly button case. Shelly’s can do MQTT so I just went with that and I’m really happy with them (I have 6 now).
Simon
I use several wifi solutions :
All these can be configured without cloud and don"t need to access Internet for normal operation (some newest Broadlink devices need Internet access during initial setup but not after)
As do I. Many can be set up without using the vendor cloud, although others require it at least for set-up, but can be blocked in the firewall after that.
There are a few reasons I’ve drifted away from WiFi devices. The stand-alone setup can often be a bit more effort without the cloud. On the TP-Link, for example, you have to know how to bypass the screen which “requires” you to create an account on their servers. Most folks here have found (as have I) that these things are more reliable if you give them a reserved IP address in your router. Not at all difficult, but there’s some effort in managing the list, and some devices don’t have the MAC address printed on them, so you have to know where in the setup process to stop, and how to glean the MAC address so you can put it in the DHCP server, and how to re-start the setup process to ensure the correct address is used. Then there are the firewall rules to block these devices from phoning home. Or maybe you’ll set up a separate, dedicated network for IoT devices. Again, more effort. And of course there are the multiple integrations, each with its own quirks and, frankly, sometimes bugs (example, TP-Link.) And if you ever let your guard down and the devices get to phone home, they could get an update which causes them to fail in HA (again, like the EU TP-Link devices.)
In addition to all that, I’ve found these devices to be finicky about good quality network connections. Not all of us “light up” every remote corner of our houses with strong WiFi. If the power goes out in my neighborhood, and everyone’s access points start picking new channels at the same time, we can stomp on each other’s signals and different interference patterns can cause different devices to become unreliable. Then’s it’s a Star Trek mission to identify the interference, adjust channels on my network and re-connect everything.
Again, the WiFi hardware is fine. The functionality is fine. None of this is especially difficult to set up. It’s just make-work that I’d rather not have to do. Maybe it’s just dumb luck, but the Zigbee devices I’ve used, from several different manufacturers, have been truly plug-and-play. They figure out among themselves how to build and maintain their own mesh network, and never try to connect to the manufacturer’s cloud. I do have one device at the far end of my barn which doesn’t always respond immediately, but that was more of a test just to see how far I could push the Zigbee network’s capabilities. The rest of the devices have been rock-solid, set-and-forget appliances. Maybe not as much fun as being your own Network Administrator and Hardware Technician, but there’s a lot to be said for making things easy, too.
You’re absolutely right, network management is a complex and long process. It’s worth it if you consider that you rely on it for your house safety.
I like the zigbee devices too, very handy for small devices that do not have power (door/window sensors…). Using a Xiaomi gateway, I’m almost using the 30 devices available, so I spare them.
I have set up a network with firewall, DMZs, several SSID exposed by several access points through the house : those are needed anyway to have good coverage and correct throughput (I have teens, they watch videos everywhere !! 
)