The rules basically assume you trust everything internally, and trust that the sites internal clients connect to. Your router protection (WAN_LOCAL) is very important though.
You can do much more to lock lock things down, but it does get more complicated.
What I do is basically block traffic from things that don't need remote access like security cameras and home automation (create a firewall group with those IP addresses)
With deep packet inspection, you can also block specific types of traffic you don't want to allow, like things that try to evade firewalls.
