Great topic, let me share some thoughts...
Living off the land is where an attack is conducted using in-place technology to eventually reach a target. So my remote control LED lights, a little cheap tiny device, isn't worth attacking itself. Not a big threat if a bad actor can turn some lights on/off. However, they could leapfrog from that device to something else I care about on my network, like my PC with my financial data on it. The solution is to put the LED lights on their own 'guest network' and isolated from my valued devices.
Complex attackers. A hacker who is able to determine the schedule on your thermostat - and therefore know when you are home - will not physically perform an attack on your property. They will provide that information to some one who is looking for houses to break in to. They may be part of a group, or it could be information simply sold on the underground market.
It may not be your network that is compromised. Let's say an attacker can penetrate Honeywell, the thermostat maker's network. Many of these devices do not have the schedule functionality operating locally, it is operated by central servers. Sure, it all appears that your cell phone is controlling your thermostat, but in reality your cell phone is talking to a central server and it talks to your thermostat. Now with one successful attack against Honeywell, your 'at-home schedule' has been compromised due to no fault of your own.
Targeted attacks. This is probably more work than a run-of-the-mill thief will do, but not if you are being targeted. Are you known to have valuables at home? Collector cars is a great example where the DMV (another computer) knows you are the owner, and in order to enjoy the collector car you have to drive it in public. Definitely a bigger target than someone who owns valuable art, but is not widely known to have such assets.
Remote access devices like Chamberlain's MyQ garage door openers are another big one. Central computer knows when the garage door opens and you leave for work. A successful compromise of MyQ, and now the bad actors can drive up to your garage, open the door, drive in, close the door, and ransack the house without fear of being noticed by the neighbors.
Don't think you will know about it in time to respond. Earlier this week Quest Diagnostics admitted 11.9 million patient records had been accessed between 8/1/18 and 3/30/19. The attack is over and done before the public was notified.
And don't get me started on the spying that SmartTVs and such do. It is just freaky having a camera watching me while I watch TV. DW gets a little amorous on the couch after a chick-flick, and your TV could be sharing the video. No doubt Amazon's Alexa will record the soundtrack for synchronization with the video.
Sorry for the long winded post. This is a subject I have a lot of concerns about. I work in tech, specifically the security side of tech. I do have a lot of these tech toys around, but none that can monitor me or that control any of my home security. And what little I do allow, I keep them in network isolation from any things I do care about.
-Eric
Eric & Lisa - Oregon
'97 Silverado K2500, New HT383 motor!, Airbags, anti-sway bar
'03 Lance model 1030, generator, solar,
