Why are all bets off if you have malware on my network. My devices are hardened with the expectation of being on hostile networks. My computers, phone and home server all assume that they are exposed to malicious actors. Of course defence in depth is also important, but there is no reason that all bets should be off if an attacker can access your device over the network.
This is the only sane way. You are then able to reason about impact and reasonably investigate when you inevitably end up dealing with a incident. Relying on a "trusted internal network" went out of fashion a long time ago.
Do you consider yourself a malicious actor to yourself? Because that's what you're saying.
I am assuming the hypothetical compromised laptop is your own, and thus assuming it contains credentials.
What credentials? Everything. All your credentials are belong to us.
At that point, the only way to defend against that is to have never trusted yourself. That's a ridiculous stance for any normal person; their home network is a trusted space.
That's why I'm saying all bets are off, you have bigger fish to fry than caring about some shitass firmware written by some third rate bank clerk in Bangladesh in a plastic box made by the finest sweatshops in China.
Why would you assume the compromised laptop is my own? What if I have roommates? Or a friend comes over for a LAN party? I want them on my real network for Steam game transfers and game traffic. Maybe I want them to pull mods off of my NAS.
In that case, yes that network isn't a home network and should be untrusted as such.
Personally were I in your situation, I would have individual computers for each network as needed for total and proper segregation of trust; a NAS for the home and a NAS for the public (eg: LAN party) network. I would not trust a single computer with all sorts of data to safely handle two wildly different levels of trust simultaneously like that.
I consider the home network a trusted enclave. Thus, all bets are off if a compromised laptop is in the home network. I assumed the laptop was your own as a worst case scenario (Credentials! In plain arm's reach!). If an untrusted third party laptop breached or was invited into your home network, that's not immediately as bad but the bets are still off.
Basically: I see worrying about shitass firmware when you haven't secured the network as pointless. The hypothetical situation presented was a compromised laptop in the network; forget the firmware, you need to deal with that laptop and then commence cleanup of the network first.
We seem to have very different approaches to security. I'd instead say "forget about the network, you need to secure your servers".
I fundamentally dislike "secure enclaves", since they amount to giving up at some point. You can instead meaningfully exercise "defence in depth" by trying to keep file servers secure against unauthenticated attackers, or even authenticated ones; by not running unneeded network services on your desktops; etc.
Securing one layer perfectly might be tempting, but it's much more work than securing multiple layers "well enough". In other words, "shared WPA2 WiFi + an up-to-date TrueNAS system + multiple accounts for different users" will be much less work and more practical than any network-only solution you can suggest.
A layered approach also means that you don't need to worry so much about someone else's screwups. A friend had malware on their laptop, but didn't have credentials for the NAS? Not much need to worry, maybe just change the WiFi password and you're probably fine. They had access to a limited account? Probably only the data on that account is compromised. Most times you won't even get to check logs to confirm or start some top-to-bottom "cleanup", since you'll never know this even happened.
At some point you have to put more trust into your home network than you would a public network. Not as far as accepting all communications, obviously, but in the sense that you have to open ports and services in order to accept incoming authentication requests and subsequent authenticated connections.
A locked door is weaker than a stone wall, after all. You're trusting that it's safe to have a locked door than a stone wall.
