As above, VLANs or separate subnets are easiest/best for this. I built my own router using an old Dell Optiplex mini PC (i7 3700, 8GB RAM) with a 4 port Intel server NIC. I installed Arch Linux on it, used the built in network interface (also Intel) as WAN and allocated the four network ports on the card to separate subnets (trusted LAN, WiFi and 'untrusted' visitors, DMZ/servers and IoT/CCTV). Using Shorewall firewall I set up a policy that allows the trusted LAN clients access to anywhere, but nobody (whether from the internet or other subnets) are allowed in. The other subnets can access the net but not other clients on the network, and only servers in the DMZ have needed ports forwarded using DNAT. I have DNS over HTTPS running on the network (and accessible from WAN for when I'm out of the home on my phone/laptop/iPad etc), and SSH is enabled on the router but only to a non-root user with my SSH key, not a password.
When guests come around they scan a QR code on the wall (where the networking gear is) and get connected to a segregated guest WiFi network (Unifi UAP AC Pro) which again only has access out to the net but not to any other clients, WiFi or otherwise. Nobody can get in, nobody can communicate to other devices (unless in trusted LAN) and everything's locked down tight. I see thousands of access attempts every day (mostly from Russia and China on random ports like RDP, Telnet, some SSH) but since everything's locked down tight they can't get in.
I'd prefer to run the box on an OpenBSD base but until they finish their in-kernel WireGuard implementation I'm sticking to a barebones Linux install (which has no GUI and only uses about 80MB RAM anyway).
You may not wish - or be able - to go to these lengths, but the takeaways remain (and some are listed above by others). Segregate non-trusted clients, don't allow inter-device communication on your WiFi network(s), lock out the router with a strong password, or better yet an SSH key, and don't use the default username (admin, root, whatever) if at all possible. Move to a third party open source firmware if possible, as OEMs are frankly incompetent and dangerously slow at patching security flaws in routers, if they ever do (which is rare). Disable WAN access to any and all services unless you have an explicit reason not to (and still run a firewall on the router), with NAT as a secondary 'soft firewall' backup (i.e. running services don't resolve from your public IP to a local IP). Disable WPS, period. Have very strong (>30 characters, numbers, letters, mixed case, special symbols) WiFi passwords and use a QR code to make it easy to connect devices you trust. Don't open ports unless you know what you're doing. Definitely disable UpNP/NAT-PMP or similar if your router offers it (most normal commercial ones do). Don't let crappy IoT devices like cameras, fridges, TVs etc run on your main network - segregate them off, either with the untrusted WiFi or better yet on a wholly dedicated subnet/VLAN. Educate yourself, even if it's only for a few hours. While 'a little knowledge is a dangerous thing', in the case of cyber security a little knowledge is far better than none at all.