3 points
It’s also not about what data they hold, but what data they have access to.
To you, it’s a light bulb, but internally, it’s a network-connected microcontroller, meaning it’s also connected to everything else in your network.
It theoretically could scan and exploit any number of security holes in other devices, including but not limited to phones and desktops.
Even if the manufacturer is ethical with it, other nefarious actors can use it as an attack point to try to gain deeper access. Some of these devices run a full Linux install internally, and if you know how, you can even get a shell session open on them.