Yes, as long as your router also supports a custom firmware such as Tomato or DD-WRT or something similar. The best Tomato developer is possibly on permanent leave so there aren't a lot of quick or updated builds going on in Tomato land but DD-WRT is still very popular.
There is also a group of Asus Routers that supports a modified stock firmware by somebody named Merlin. These firmwares, as far as I understand, support all of that stuff as well but some of it must be configured via SSH because there is nothing in the GUI to do a lot of it.
I prefer Tomato by Shibby but I abandoned it recently for Merlin. So recently in fact that I haven't bothered figuring out how to setup VLANs yet. Instead I just stopped using all of my Chinese WiFi IoT devices (the ones I couldn't flash my own firmware on) and sort of slimmed down instead.
Anyway, back to the question at the top. It's my understanding that everything that could run locally does unless it needs to communicates with a third-party cloud service. That to me would mean that anything connected directly to the hub and configured through 1st party device handlers and apps would all be local. This would also include all third party device handlers and apps as long as no dependencies on the internet are created by the developer.
For somebody who has actually checked into this, does that sound about right?