missing-root
missing-root I dont think GrapheneOS advises people to install Firewall apps using the VPN function.
RethinkDNS combines local filtering via DNS with the ability to directly use a WireGuard VPN without another app. It also has other features such as connection monitoring. This is a much better approach than most of the apps in this space which force choosing between them and a VPN, recommend problematic TLS interception (AdGuard), etc.
missing-root What would a per-app firewall have to do with VLANs?
Some people advised OP to use "Client Isolation" and other obscure, largely proprietary router settings, yet nobody has mentioned the core technology that would allow OP to separate devices.
alfred Turning on Client Isolation in your router