I now tested some additional configurations and firewall rules. Finally, I found a good working solution with Homepods, Apple Watch and AppleTV located in VLAN and access from iPhones / iPADs in untagged LAN (including AirPlay). I will publish the new fw ruleset in the next days as best practice examples.
I assume having bonjour routing enabled plus the mDNS fw rule leads to routing of mDNS over VLANS (mDNS reflector) on peplink routers (as it works for me).
Tried some suggestions from:
https://forum.peplink.com/t/homekit-vlan-guest-wifi-setup-for-iot-security-on-peplink-balance-one/25515,
https://medium.com/@gepeto42/using-homekit-devices-across-vlans-and-subnets-aa5ae1024939
(I don’t use Avahi),
https://community.ui.com/questions/HomeKit-on-Isolated-VLAN/2fd20346-59df-4662-9559-0ecac7ec83cb
(see step 6) pinhole rule), and
https://vninja.net/2019/08/12/unifi-iot-networks/
I had other non HomeKit devices on this vlan (TPLINK Kasa switch and smart plug) but thinking now, I would move these to a different IoT vlan with client isolation and guest protect enabled. Limits the attack vectors.
I solved this with specific internal firewall rules blocking all access from IOT subnet to each of this devices and between them (example (x=concrete device ip): block 192.168.210.0/24 to 192.168.210.x). Increased safeguarding of the epson printer with this as you recommended, too. 