My question here is how are you going to install your root certificate on a $300 smart TV? Or, if that is not required because the TV does not verify DoH certificates, how bad is that for security (which we already know is awful on these devices)?

This comes back to the core decision: do you care about controlling the network enough to block access? If the device can't be managed / is no longer supported the safest choice is not to allow it online at all. Different people will have different risk tolerances – it might make sense to put, say, a remote-control power switch on an IoT no-man's land network but if it has access to personal information or cameras/microphones it's not unreasonable to say it should just be blocked unless you're actively using those features.

Well, it’d just block internet access there. I wonder if it’s possible to push a root to an Apple TV

The Checkrain jailbreak [0] supports several Apple TVs, so I’d bet you could use use certbot to obtain a LetEncrypt [1] cert for it.

Of course, jailbreaking opens up other security issues, so it goes back to what you can tolerate.

[0] https://checkrain.org/ [1] https://letsencrypt.org/getting-started/

I know that you can install iOS profiles onto the Apple TV, I have done this for 802.1x support, which included a CA root for the 802.1x controller.

I would imagine you can use this to push any certificate that you can also push to an iOS/iPadOS/macOS device.

This is what I was thinking about.