Yes that’s a concern with all of them, Apple TV included.

That’s what I’m using now and I like it.

Not sure if it’s a factor for you but roku tries to phone home a lot more than anything else on my network (or perhaps my firewall just catches it more than other devices and apps). Otherwise roku is pretty good.

Nvidia shield tv is better though. It’s the best set top box. Made even better by replacing the default launcher/ home screen (android TV default launcher now has 2/3 or more of the screen taken up by ads or “recommended content” which is just ads).

Big.

Absolutely agree

Oisd.nl

Depending on how in depth you want your firewall, packet inspection, etc to be and your internet access speed, you may want a commercial grade router. You can also probably use an old PC and add a dual gigabit NIC to it and load up opnsense or pfsense or some other router/firewall distribution. From there, add a stand alone switch and a standalone wifi AP (or router in AP mode). The reason I bring up using a commercial device or an older desktop is because packet inspection, filtering, etc at line speed on a gigabit connection won’t be possible with a lot of low powered devices.

I used to do this (was using an old Intel core i5 second gen with added RAM and a dual port gigabit NIC) but it was a lot to keep up with. I have since moved on to an Asus router (RT-AX86U) with the AsusWRT-Merlin software package. The only functionality I really lost was suricata for IDS. The AsusWRT distro comes with some proprietary stuff (that I think you can turn off) but it’s also very “open” in terms of just running Linux underneath. This means you can set up things like VLANS, use iptables, etc.

AsusWRT-Merlin adds some niceties (including a nice add on system that will expand into web based interfaces for certain things you might usually do from command line, better/expanded firewalling, and even adguardhome installer for DNS-based malware/spyware/ad blocking… kinda like pihole but lots of people like it better). The maintainer of that package corresponds frequently with Asus (to the point that some of his stuff is merged back into the official AsusWRT at some points).

I can confirm that the model I mentioned above is able to do all the firewalling, QoS, adguard DNS filtering, etc at gigabit speeds. It also has some sort of IDS and a few other protections, but they are part of the proprietary bits (Asus licensed via TrendMicro I believe).