Yes there is (VLANs) and that's why they've been a thing for quite a while. Securing stuff might mean things like firewalls. When you are defining firewall rules you need to define where FROM where TO and WHAT and ACTION. This is what out of the box TCP/IP gives us. It can be rather more complicated but we are discussing VLANs.
You might have PCs, servers, TVs, printers, cameras and more on your network. You might want some of thos to access the internet and some not. Some from the internet and some not. Anyway - policy - what should be able to get from A -> B.
VLANs allow you more flexibility. You can now have lots of different TOs and FROMs. So you can put your security cameras on a VLAN with no access to the internet. You can still access them but they cannot splurge to the wider world.
Three RPis? Perhaps. Depends on the job. I'd probably throw another VM on the fire.
But why do you need it in your home? Do you really cut off your printer in a VLAN and do some specific routing/filtering? I know how to do that, but I just don't see the benefit.
If you want to cut off one device from the internet, my solution would be to set a specific DHCP rule to not deliver a gateway/dns. Easy and good enough to cut off a printer from the internet. My home does not need the same network security as a nuclear power plant...
Your point is more about subnets and less about VLANs. You can have firewall rules that restrict entire subnets from access the Internet; you don't have to define a rule for each device. VLANs just give you assurance that a device can't just change its subnet to your main one and gain access that way. Realistically, there wouldn't be any IoT device that would do this. But I agree if you can do VLANs, you should do them over basic subnets.
You might have PCs, servers, TVs, printers, cameras and more on your network. You might want some of thos to access the internet and some not. Some from the internet and some not. Anyway - policy - what should be able to get from A -> B.
VLANs allow you more flexibility. You can now have lots of different TOs and FROMs. So you can put your security cameras on a VLAN with no access to the internet. You can still access them but they cannot splurge to the wider world.
Three RPis? Perhaps. Depends on the job. I'd probably throw another VM on the fire.
(EDIT - grammar)