I'm interested in gaining more control over the outbound traffic of the many devices on my network
For starters, I'd disable all internet traffic for any device I wasn't sure about (actually, I wouldn't use any device I really wasn't sure about). This can be done in your router, in the Network Map, Clients (icon), Select the device in question, Block Internet Access -> On.
After that, there are hundreds of utilities to monitor network traffic. Some run on your router, some as standalone devices, other as network sniffers.......
Personally, I run Pi-Hole (on a Raspberry Pi). It is easy to set up, assuming you have a Raspberry Pi, and has an easy to navigate GUI where you can see what your devices are trying to do (well, at least who they are trying to communicate with). This approach doesn't tell you what CONTENT is being sent, but limits with whom the devices connect. That's all I need to know. Either I trust the vendor, or I do not.
I see no need for any of my previous or current NAS units to have any internet access. I can download firmware and apps manually and install them as I see fit. Cutting communication provides a reasonable level of security. Ok, there are ways a 3rd party device could access and pass on stuff, but I'm not *that* paranoid.
By running a VPN, I can access my devices from anywhere.
Anything that needs internet access only, i.e. no internal network access, such as my echo dot, my smart switches, hue light hub, etc, get put on the "guest" network where they are isolated from my internal network.
Another option is to multi-home devices. My NAS (TS563) and my Raspberry Pi's have dual NICs so can connect to both the internet and my internal network exposing specific services / ports to each as is appropriate. At one point I did have one NIC on my NAS exposed with port forwarding as I was running a web site on it, ultimately I decided to move that off as I didn't want the risk. I believe a NAS should be for storage and backup, not web servers, media players, etc, but that's just my opinion.
My approach is pretty basic but I figure it provides a reasonable amount of security for very little effort or cost.