A buddy of mine who's involved in a lot of IETF things is a fan of something called MUD (manufacturer usage description). Broadly, it lets a manufacturer set rules, like "this thermostat only ever makes TCP connections to the following three DNS names". A policy like that can then be enforced by your home router or whatever else.

I like this because it's simple, and because it's spiritually similar to Content Security Policies, wherein a web server can make statements like "my HTML will never have inline JavaScript". That's proven very valuable for the web.