I would start with the question - how big is this broadcast traffic, that it needs to be dealt with? )
And so - yes:
phones in a separate vlan (usually two-port ones are able to separate tagged traffic into "for themselves" and "for the device connected next")
printers in a separate vlan (or even vlans) and access to them only by the print server, and user devices - access only to the print server.
The exception is MFPs that are used as scanners.

With the help of an active switch with L3 support, if you are lucky with the budget, take a router, spread everything over different subnets: telephony separately with its disgrace over UDP; observation separately; accounting with its bank clients and reporting separately (here security); you can separate some departments at your own discretion. In addition to delimiting network traffic flows, you get convenience in localizing some problems and a security bonus.
It is better to do the delimitation by broadcast domains wisely, by spreading the domains over different subnets, and not VLANs. Because VLAN (802.1q) is nothing more than a crutch that works at the data link layer
With its tag and access troubles.
If you are going to buy a router, it is better to take an iron (hard), rather than a software (soft) one, all sorts of Mikrotiki and *-links. Software under loads begin to pass well. As an example, the simplest model (without VPN, DMZ) is the Cisco-ASA 55** model (** model depending on speed and number of ports).