I will share what I do and you can draw your own conclusions. But don't think of it as your friends are or are not a-holes. The real question is are they serious about endpoint security or are they unknowingly bringing a threat into your home? Or is an IoT device compromised with malware and will it become an attack vector by which a bad actor gets to the rest of your devices? Or do people in your house open them selves up to attacks by their online behavior?
The idea isn't really to create a second wifi SSID, the idea is to create separate VLANs and then use a firewall to manage traffic between them. If you've got your firewall set up correctly you are then protecting a malicious attack on one network from infecting devices on another network. So if someone hacks one of your IoT devices and they are able to get to your IoT network, they may be able to see other devices on that network (more on this in a min) but not anything beyond that. VLANs work both with wired networks and wireless networks, so the general practice is to assign each VLAN a separate SSSID. For further protection you can turn on port isolation so even devices on the same VLAN can't talk to each other.
How you configure your network has to do with a number of factors. (1) an understand of the risks and your tolerance for those risks, (2) your willingness to learn how to configure and manage a more complex network. (3) how sophisticated your network equipment is. (4) what other risk mitigation factors or vulnerabilities are in place.
On item 4, I'd consider things like strong passwords, endpoint security, and decent encryption higher on the list than VLAN segmentation. On item 3, many consumer-grade routers don't support VLANs, or they may support a user VLAN and a guest VLAN but nothing else, and you may have very little control over how they are configured. More sophisticated equipment gives you a lot more flexibility but then gets you to #2.
I have 5 VLANs and 4 SSIDs. One for home automation, one for IoT devices, one for users, one for gamers, and a management VLAN with no wireless connectivity. I have firewall rules blocking traffic between them, but I do have some firewall rules that allow user devices to talk to HE, HE to talk to the alarm system, my Mac to talk to the management VLAN, and so on. This is definitely overkill for most people but I have the equipment and the skill set so why not.
So to your questions...
1 - yes, if. you can
2- not sure what you are asking with this. If you're talking about creating a separate VLAN it will operate across the same APs as your current configuration. If you're talking about adding a second wifi gateway and hanging it off the first one, I don't recommend that approach at all. Either you create a double-NATting network or you just bridge one network to the next. While the former CAN be used to do some segmentation it's not ideal at all. And the latter provides you with very little real security. Whatever route you go you will have to either change your smart device connections or the connections for whatever other devices you have.