I run a full PC and rolled in NAS / WIFI / etc. into a single box but, that's just my approach to combining and slimming down the footprint of devices needed.
Bundling the NAS / router functions eliminates all of the bottlenecks you see with modular setups and needing to upgrade all of the wires / NIC to support the higher speed. Then you just have really good WIFI for normal data transfers and if you need more speed you plug into the "server" directly and get whatever wired speed you go with. I based my speed requirements on the disk speed w/ Raid 10 capping out at ~400MB/s which is just shy of 5GE for speed. 5GE is a good place to be if you have a laptop since you can get a USB dongle for $60 vs going full 10GE and bumping the laptop dongle to TB and $300.
I was running 1GE+ with a cable modem and just bundled 2 ports off that through bonding and was hitting up to ~1400mbps with the overprovisioning.
AD's are blocked with Pihole w/ a few lists -
https://firebog.net/
IOT / etc can be managed via vlans
I run VPN through it as well and with wireguard it hits line speed vs ovpn which caps out at 600mbps no matter the HW you throw at it
I just use Ubuntu for the OS as it's more adaptable and supported for HW. It's handsoff unless you want to update the kernel weekly like I do to patch things up and unlock potential HW improvements that might be baked into the newer versions.
For the FW I just use IPtables and the total config is about 15 lines to permit LAN <> LAN and then track WAN by sessions and block everything else by default.
Obviously the SFF PC for me wouldn't work due to the extra drives I have inside for the NAS portion and might be limiting if you roll in WIFI / AP functions but, easily would fit a quad port card for network duties. There are dual port cards as well at 2.5/5GE speeds. It depends on how much bandwidth you want on either side of the FW. I stream things over WIFI w/o any issues though 4K or FHD. The AP I'm using just plugs into one of the ports @ 2.5GE speeds and my laptop using an AX411 card hits 1.5gbps back to the server.
It al kind of depends on how you want things to talk to each other and which priorities you have for the data, The FW side is easy and cheap as it just runs in the OS. The biggest thing is planning so you don't end up doing it more than once. If you decide to roll in the other functions the right case makes a difference to support more drives or better air flow. Picking the right CPU / RAM combo helps for keeping costs down and ADL at this point is probably the best option in terms of recent but cheaper if building from the ground up. Most of the time the CPU will be near idle and thus low power requirements but, if you let it crank up for something like Plex for comskip or transcoding the power is there to prevent buffering.
I started with an 8700K when I first built it and that handled everything just fine but, ADL / hybrid cores enticed me to play with them so I rebuilt it and just moved the drives over to the new case, Really though building from the ground up and configuring the box is fairly simple with the guides that are out there. Avoiding the traps though of over configuring and slowing things down is the hard part if you're a tinkerer. Not being locked into the specific use OS options though leaves the door open to do whatever you want / however you want w/o restrictions. Most of the stuff out there can be added as an app as needed. An easy one to use is webmin which will allow a web GUI for remote control via CLI if you don't plan on leaving a screen hooked up to it when you're done setting things up.