Ok so after experimentation I thought I would post my results for those wishing to try and get IoT devices on a separate VLAN (here is the related post Advice IoT Devices, Dumb AP with separate Router/DHCP). I have successfully got the majority of the IoT devices on untrusted VLAN (wifi) with internet access but no local access. I have tried to get mDNS reflector running so that you can cast (Chromecast) between subnets which works but unfortunately isn't reliable (something to do with chromecast constantly pinging out <1ms and maybe the reflector can't keep up). I ended up with the most untrusted (bulbs, PS4 etc running in the untrusted vlan) but haven't yet with the Chromecast without having to do init scripts to restart things ever second which just seems like it a workaround than a working config so have abandoned this for the moment.
Hope someone finds this helpful.