Let's get physical
A three-way switch on the IoT device that controls access.
Position 1:- Input locked. Firmware cannot be flashed or the device accept any input beyond negotiating with predefined networks. Effectively it will only broadcast its data to the users network at a refresh rate previously set by the user.
Position 2:- Input guarded. As position 1, but with a whitelist of user defined input parameters. A soft option position 3, if enabled at set-up, will allow the device to operate as if in position 3 mode, but this would only activate on receipt of the correct 256 bit password from authorised networks.
Position 3:- Input open. Intended for initial set-up and update use only,
In general, domestic users would not enable soft mode 3, as they would normally have access to the device to physically flick the switch to position 3.
And basically, if I can't have a degree of physical control over the IoT device, in a manner like the above, then I'm not having it.
And yes, I've told my electricity supplier exactly where they can stick their smart meter.