Technically, the “best” option would be to VLAN the WiFi network separately from a wired network where all the important devices are connected.
But honestly, for normal people, that’s over the top. Try WPA3 first and see if you have any devices that won’t work over it. If you run into issues, swap over to WPA2. I generally say start stricter and loosen the metaphorical belt only as necessary.
It’s not too terrible to set up a RO server. There’s even a guide to running one on a Raspberry Pi.
I followed the guide a few years back and it worked out pretty well. Instead of setting up a site to create user accounts I just ended up manually adding users to the database.