I've integrated my few Tuya devices into a separate IoT Wi-Fi network, creating an isolated VLAN. This meant the Tuya devices didn't have direct access to my main VLAN running Home Assistant.
Access to the Tuya devices was managed via Tuya Integration.
Now I have one Tuya device that only displays one of its many values in Home Assistant. The solution would be to integrate it via Tuya Local. However, my main network (Home Assitant) only uses WPA3, which the Tuya device doesn't support. Even so, I'd consider it too insecure for my main network.
If you are worried about security, buy NO (zero) Tuya WIFI. None.
Tuya Zigbee can *usually be run locally without any Tuya Hub.
As Wally said, buy something else that is local.
Buy a Zigbee or Z wave device.
Matter can be a problem with security as well because it requires IPv6 which is hard to contain.
For the sake of simplicity (less configurating, less headaches, less concerns), replacing the device/s and moving to zigbee, zwave, or thread is certainly the path of least resistance.
But for the sake of dialectics, there are things you can do with the WiFi devices to isolate and secure them locally.
Step 1 is segmenting the network (via vlan). This is possible, but you'd be introducing layers of complexity, because now you need to be mindful of all the various protocols of the devices (AVAHI, mDNS, etc), as well as poking holes in your firewall for cross-interfacing between networks if devices need to communicate with other devices and discovery. This is a rabbit-hole all on it's own that can lead to disaster. I'm not going to go into further details of what this entails, but there are plenty of threads on this forum that touch the subject. I will say this - HA is designed for a flat network. Happy digging.
If you proceed and manage to successfully complete Step 1, then Step 2 is setting up TuyaLocal.
Step 3 is banning your device from communicating with your WAN interface (the internet) using a traffic rule in your firewall.
Step 4 is redirecting the devices DNS probes into a blackhole via pihole or AdGuard so that it can't phone home under any circumstances.
Step 5, if the device needs time correction (like RTSP cameras), is forwarding the devices NTP probes to a trusted source for time.
I've done it before. Do I recommend it? No. Absolutely not. At least not for anyone with novice knowledge of networking. Even though I managed to accomplish it, I still ended up replacing the device and going with zigbee.
If measuring the pool water level is your end-game, your better bet is going DIY and using ESPHome with an ESP32. There are several threads on the forum of people setting this up for sump pits and aquariums.
To answer your questions. Yes, both the device and HA need to communicate and if you setup vlans, then your hurdle is making sure HA can discover the device. I would think Tuya Cloud has bot protections, so sending additional info via MQTT may not be a simple task, as you would need to scrape the info from the cloud.
