After considering the linked article in the OP, doing a bit of extra studying, and following the resources below, I now have the following setup on my network:
- Corporate LAN - my main LAN which supports desktops and laptops, phones, NAS, etc. It has a wifi network.
- IoT VLAN - supports automation devices. This LAN also has a wifi network (same AP as the Corporate LAN, but different SSID--I only have one AP). The corporate network can communicate with this VLAN, but not the other way around.
- Zombie VLAN - supports things that need Internet access but don't need to talk to the other LANs (i.e., blu-ray players, etc.) The corporate network can communicate with this VLAN, but not the other way around.
- VPN - virtual private network.
So, for example (there's lots more):
- Chamberlain MyQ bridge - needs Internet but doesn't need access to anything on the LAN. It goes on the Zombie VLAN since the excellent MyQ plugin gets its information from the MyQ server over the Internet and not the bridge itself.
- Blu-ray players - need Internet for firmware updates and whatnot but no local LAN communication at all. Definitely Zombie VLAN.
- Smart TVs - Zombie VLAN.
- AVRs - Zombie VLAN.
- Rokus - Corporate VLAN. These are our main streaming devices. They need access to NAS content.
- TiVos - I've left these on the Corporate LAN because they also need access to NAS content.
- Magic Home WiFi RGB Controller - this needs wifi and local communication with Indigo and the new Flux/LED plugin so it goes on the IoT VLAN.
I was nervous about adding the VPN, but it turned out to be incredibly easy with the Unifi Controller. I found the following combination of resources to be all I needed (note that the Unifi instructions don't include the step where you must create the RADIUS VPN user account--but the YouTube video does).
https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
https://youtu.be/ote3Zv0XdyU
https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-user-remote-vpn-setup-quot-for-dummies-quot/td-p/2169437
I plan to add a guest network (with wifi and Internet but no communication with other LANs), but haven't done that yet. I'm also still considering what to do about things like Sonos (the OP article talks about that a bit). Definitely not regretting my move to all Unifi.