The correct way is to create VLANs. Then use the router's firewall to prevent devices in the IOT network from reaching into your other networks. Not all consumer network hardware supports VLANs though.
Gotcha. You can never tell how an IOT devices is scanning your network. It could be passively listening for broadcast messages, or it could be actively scanning all the private subnets.
So, you probably need an access point that can do "client isolation" or "layer 2 isolation". This would prevent clients on the same wireless SSID from talking to each other.
That's a good idea when you're just working with what you might have on hand. But if you're buying something, consider going a step above consumer network gear. There you'll find wireless access points that let you configure multiple wireless SSIDs on mixed or isolated radios...all at the same time.
The correct way is to create VLANs. Then use the router's firewall to prevent devices in the IOT network from reaching into your other networks. Not all consumer network hardware supports VLANs though.