I have several wifi IoT devices that would like to isolate from the computers, mobile phones, etc.
Currently my wifi setup is the ISP modem/router and a eero pro 6 in bridge mode as the ISP cannot be set to bridge mode. What device do you recommned to creat VLANs and set firewall rules? Should it sit between the ISP router and the eero?
On a different note, can wireguard or cloudflare be used to connect HA to Google Home?
Unless your ISP router/modem supports a second network (meaning separate VLAN) then you’ll have a hard time doing what you want. Whatever device handles routing for a network needs to be VLAN aware of you’re going to have a bad time.
Those are different things, so no.
I did not intend to include wireguard and cloudflare on the same basket as a VLAN.
It was just a different question.
I meant that they are different technologies than brokering a connection into a cloud service provider like Google.
eero cannot handle VLANs. But the bigger problem you have is the ISP supplied modem. You need a modem that can be set into bridge mode so you can handle all of the routing and networking. Otherwise you will run into double NAT issues. You need a managed network setup that can handle VLANs and routing both wired and wireless. More specifically you need the WAPs to be able to tag separate SSIDs with a VLAN number, then connect your IoT devices to that SSID and only that SSID. Then you setup firewall rules to limit traffic to/from that VLAN to other VLANs or the internet. I use a Firewalla Purple with Aruba InstantOn 1930 managed switch and AP22 managed WAPs. I used to have a full UniFi system with a UDMP, 24 port PoE switch, and nanoHDs.
In my case it is not possible to replace the ISP modem/router.
Running double NAT setup since ages and got no troubles. Only thing to keep in might is that when you want to punch in a hole from outside (e.g. running your own wireguard setup) you need to setup the port forwarding two times (ISP router and on your own router).
Cheap consumer grad hardware is even capable of this as long (recent) openwrt support is present. 
My $10 used router does VLAN just fine: [OpenWrt Wiki] TP-Link TL-WDR3600 (N600)
So stick with it 
What is your goal to isolate this clients form each other? Are there ones you trust more or others less? Do you want to cut internet access for some devices? 
Looks like you have high trust in our big brother 
In which situations would I run a wireguard setup?
Any specific router you recommend to sit between the ISP router and the eero?
I want to isolate my IoT devices from the remaining to avoid that if they are hacked access is granted to devices with more potential to sensitive information.
If you want to access your Home/HA Network from the internet 
Something which suits your needs? Like just said if you just don’t buy hardware but also pay attention to superior software support (openwrt capablity) you can get very capable system for cheap (even more if you by second/third… hand 
). Just take care to have enough headroom regarding flash and memory (like 16/128 MB and up should be good for the next 5 years I’d expect).
Would a simpler solution work?
As far as I could read online, devices on 1 can’t see the devices on 2 but devices on 2 can see the devices on 1.
Exactly. That’s a router cascade and an easy way to separate LAN’s thank’s to NAT 
Your eero lan will then have a “double NAT” to reach the www - some people have issues with that but it actually shouldn’t be problematic at all - running such setups since years without any downsides. 
I use this combination and maybe this is something for you too:
I use a special modem/router from the IPS that is in bridge mode and a Mikrotik router.
The router is set up with different VLAN’s for IoT, private and WiFi devices and this works well.
My ISP does not allow bridge mode.