I have some smart speakers (from Teufel, therefore the name) connected to our wifi. A source of lots of fun has been that everyone connected to the wifi is able to control them. So either ban everyone to a guest wifi which would not allow them to use stuff they should be able to, or get nerdy.
After poking around with wireshark it was obvious that the speakers are discovered via multicast DNS. Therefore, I configured a Raspberry Pi to provide a new wifi hotspot which the speakers connect to. Both networks are bridged together but mDNS traffic is stopped on the Pi and only forwarded to whitelisted devices. Of course this is far from being bullet proof but works perfectly in my situation. The speakers only pop up on devices that have been whitelisted, no matter if using the speakers native app or third party apps like Spotify.
I wrote an ansible playbook to configure the Pi appropriately. You can find it here
More details are given in the readme, but basically all you need to do is enter the ssid and password for the new hotspot, add the ips of the Pi, the devices/speakers you want to hide and devices you want to whitelist.
ansible-playbook -i inventories/hosts teufelhole-playbook.yml