After reading the advice above, I want to note the following. when saving the employer's money and buying deshman equipment, it is very important to understand that everything that the equipment cannot do will be done by you yourself, and no one will pay you more for it. yes, you can do it on micros and openVR and it will be cheap. but for this cheapness, someone will have to work harder and spend time figuring it all out and setting it up correctly. and the worst thing about these solutions is that you spend time on the initial setup, but when you have to reconfigure something in half a year or a year, you will spend even more time figuring out how to do it without breaking what you have done. and if you suddenly happen to leave,
if you decide to go this route, be sure to write down everything in detail what was done and why and why exactly, it would not be superfluous to mention other solutions and why they were not used.
for example, in a year we had to simply throw out the router with openVRT because no one remembered how to enter it and what to do with it for reconfiguration, but there was no time to figure it out. the microt put the multicast network by a storm, and since the authorities wanted everything to be right now it was not possible to figure it out, the microt has been lying in the closet for a year that no one needs, although the task for which it was bought performed perfectly. and the solution to the storm was found, but no one needs it anymore.

A good example of how porridge in the head leads to bad decisions. You don't need to change the switch. The controllability of the switch matters in the enterprise, in a LAN for a dozen users it is redundant.
Routers need to be changed. For those who independently raise the VPN to the center and then you will already have a more or less correct scheme with branch routing.

As already correctly written - change the router to one that supports VLAN, and possibly VPN.
The cheapest mikrotiks or ubiquiti will do just fine.
I’ll even say more, if your “home” TP_link supports flashing under Linux such as OpenWRT and others like it, then it’s very possible that you won’t need to buy anything at all. Turn your home into an analogue of Mikrotik or Ubikuti.

IMHO, it would be better for you not to upgrade switches, but routers - so that you can raise VPN on them, and not from somewhere on the user device.

I thought that by dividing all the devices into subnetworks (separate vlans), isolating them from each other, and also setting restrictions on the Internet on the router, I can safely drive local traffic inside the L2 switch

Switch "Stupid, uncontrollable" first level