I think (but am not sure) that if you want a public / guest / no authentication required SMB share then you are going to struggle to limit that to being visible on 1 of the interfaces however as @neogrid said and as it looks like you have worked out, you absolutely could do it by user / group based ACL.
Presumably your cameras have the ability to do some form of auth as will the devices on your office lan so maybe just a “public” share for the IoT stuff. It would mean that all shares could be seen from all networks but would only have read / write when authenticated.