Both number of devices and bandwidth could be conserved if we had a standard protocol for these things to talk to a local hub that would (a) proxy interactions with the outside, (b) enforce privacy rules and (c) handle management overhead.
As it is now, a house can easily find itself with three brands of "smart" light bulbs, a thermostat, a power meter, six video systems and a camera: all of them demanding their own IP address and exposing varying levels of private information.
I expect there are six standards for such hubs already. Insert XKCD here...
I am not sure that is is a good idea to put such devices in a special class of their own. It risks giving devices permissions and trust that they don't actually deserve. Better to treat them as an internet server and use existing procotols (OAuth, CORS, TLS, WebSockets etc.). As far as I know all those protocols work perfectly well on a local network behind a NAT. More importantly browsers already have well understood restrictions to prevent XSS built in.
