Regarding the complaints about IOT devices and LAN local services: I wonder if it would be possible, and reasonable, to define some sort of LAN certificate authority protocol, which behaves a bit like Let's Encrypt, but only for services that are on LAN local subnets.
Normally, something like your WiFi router would fulfil this role, local services would poll it to obtain signed certs, and, browsers would poll it for a CA cert which they would apply as a trust root for LAN local subnets only.
Normally, something like your WiFi router would fulfil this role, local services would poll it to obtain signed certs, and, browsers would poll it for a CA cert which they would apply as a trust root for LAN local subnets only.