To follow up on this, here’s what I ended up doing:
Under Network/LAN: Created a VLAN for the guest device. Inter-VLAN routing is ON (but see below for firewall rules). I’m using 1003 because that’s the VLAN ID that Airport Extreme base stations use fo their Guest WIFI network. See Using Peplink Balance with Apple Airport Guest Network
Moved all potentially unsafe devices, includsing Printers and IOT devices and the AppleTV (which serves as the HomeKit hub) onto the Guest WIFI (VLAN 1003)
Other IO devices which connect via Ethernet (such as Philips Hue bridge) were connected to one of the ports on the Balance one, set to Access / VLAN (this is found in Network/LAN/Port Settings).
Enabled Bonjour Forwarding (See Network/LAN) ServiceNetwork=Guest VLAN, Client Network = Untagged.
Added Firewall/Access Rules:
“AllowAppleTV” Protocol Any, single address (address of AppleTV), To Network (untagged network): Allow
“BlockGuestVLAN” Protocol Any, Network (Address of GuestVLAN), To Network (untagged network): Deny
Basically, this keeps the IOT devices on the Guest VLAN/WiFi network. They can see each other, but they can not see into the trusted network. But, the opposite direction is open: devices on the trusted network can talk to devices on the guest VLAN.
So far so good!