Still, that still an infiltration first - the malicious URL/programme made it through the defenses. My antivirus/internet protection inspects emails and web data (including https) to try and block them - or at least alert.
I almost added that you need to select the SW carefully. Any priveledged SW is open for DLL attacks. My antivirus (not in your list) notified me daily about an unsigned installer (Microsoft!!!) being used - turns out this was for updating some Bêta version of Edge - the procedure to uninstall it was “uncommon”.
True, but a browser based one can be snake-oil. The DNS list works instantly for all devices even when you can’t control the browser or hidden OS communications, including for Home Assistant that was using cloudflare.
I can assure you that the DNSBL is very effective for ads - I regularly have a site indicating that I should deactivate my adblock software - and then I think : I am not using adblock software ;-).
Yess, but you installed SW in your router - as far as I understand it you need a managed switch to use VLANs
Sure, when you’re connecte on LTE (not IoT-NB), you have IMHO a data connection. And I would separate the “IP” for making phone calls from the “IP” for the user. A cellular phone has multiple processors and the sub-system handling the communication is well separated from processor(s) handling the user applications and GPU.