I don’t want to steer you wrong, I am not a networking expert and I do not play one on TV, heck I didn’t even stay at a Holiday Inn Express last night. That being said, I have a similar network to what you are describing. I have 5 VLANS with 5 separate subnets.
VLAN 1 - Internet Access
OpnSense Router (172.21.9.x)
Ubiquiti EdgeRouter Lite (172.21.9.x)
VLAN 10 - Main Lan (192.168.10.x)
VLAN 20 - Guest LAN (192.168.20.x)
VLAN 30 - IOT LAN (192.168.30.x)
VLAN 40 - Management/Unifi (192.168.99.x)
I have a 24 port Ubiquiti EdgeSwitch Lite that I have the various VLANs tagged in and it handles the routing between the VLANS (as well as the security through access control lists).
The way things work is this. Say my main computer wants to get the internet. My Computer sends the request to the switch on VLAN 10, which then routes the packet to VLAN1 and out of my OpnSense box. Say a compromised IOT box wants to scan the entirety of the 192.168.x.y subnet. The switch knows through its access control lists that it is not allowed to do that and blocks those attempts.