IoT, Guest, Primary best practice network security RB850

Like beauty, security practices are "in the eye of the beholder".  What one person considers "best" others may think of as "meh".

Random comments:

IoT Network. Your observation is correct.  Devices connected to the IoT network are in the same IP subnet as everything except Guest devices.  The IoT network was created to address a specific customer complaint: that the primary 2.4G and 5G WiFi network has only one SSID.  The 2.4G and 5G WiFi networks cannot be given different names, which was a common feature on earlier WiFi routers.  Some IoT devices have poorly written smart phone apps and setup struggles when the phone is connected at 5G.  Netgear "held the line" for years and finally offered a solution: create a different WiFi network where the 5G signal could be turned off.  (There were numerous other solutions Netgear could have implemented, but that's the one they chose.  If a particular user finds that all IoT devices are "no problem" to set up, there is no reason to enable the IoT network.

Guest Network.  With the guest network being "separate", it is not possible to access devices on the guest network from the primary network.  For the vast majority of IoT devices, this is not a problem because the app managing them goes "through the cloud".  If the app will turn on a light bulb from Starbucks or when driving around in a car, being on the guest WiFi network is not a problem.  In one sense, therefore, putting IoT devices on the guest WiFi is "more secure" because if some evil person "takes over" the IoT device, there is not much damage they can do.  But......really? Are we worried about Dr. Evil commandeering our smart plugs?

Can you please explain how attempts to connect to a laptop on the Orbi LAN are detected?  The laptop is 'hidden' behind Network Address Translation (NAT).  It does not have a public IP address.  Are ports being forwarded through the router to this laptop?