You've got this wrong my friend. You don't use Wi-Fi on a router. You get a separate Wi-Fi Access Point device for that. I use a fanless Intel N100 2.5Gb x4 port system from AliExpress as the router with OpnSense and a Ubiquity Wi-Fi 7 access point for the wireless.
I think I get what you're implying. As long as the router itself with its firewall + DNS + NAT, is secure from attacks by actors over there internet, the access point I will connect to it only needs to be secure against people within 100 feet of it.
My only concern here is configuring an access point to just be a dumb antenna that xmits/recvs and AES encrypts/decrypts ethernet packets from a handful of MAC addresses without doing NAT or any other additional processing of those packets. The concerns my OpenBSD buddies have about the software on ASUS routers is well-founded, but I don't think any of us is sufficiently versed in layer 2 security.
What's the extent of your expertise in layer 2? I would rest easy as long as my router and access point are not willy-nilly giving away my MAC addresses to fine institutions like this place.
