Can I put MQTT into subnet or different WIFI than HA for security reasons?
Or how to secure embeded MQTT?
Set a username / password
Don’t use the default port
Are you exposing your broker to the internet?
No, HA isn’t exposed outside.
Then your only threat is people who have already gained illegitimate access to your network. If that has happened, then you have already lost 
and any additional measures to your mqtt are just going to be an inconvenience to you, not your attacker.
You should, of course, keep any guests on a separate wifi network, but that is just standard security.