In my case I have multiple VLANs (incl. one for guest WiFi) to segregate my network. In particular for IoT devices that might otherwise phone home. In other words: There is a number of reasons why an internal firewall makes sense. Some companies found out about this the hard way in recent years, BTW.
I have PVLANs only and they are all hardened, but the doubt I was having was to enable DPI in that traffic and other protections too.
One mount point could be used by 2 different machines and in any case, a malware could replicate across the network, though with a NAS I should execute that file in the 2nd system, which is much less luckily to happen, especially with different OS.
If that file is well prepared, it could infect the 2nd system anyway.
I'm not prepared right now to say if I absolutely need such protections, but at the very least, they don't harm the security, just the bandwidth :D .
I just need to review possible scenarios.
