I've worked on security for IoT devices, and "would have to be on the same lan" is not at all uncommon as an attack scenario. In fact at the company I worked at I worked hard to get our customers to understand that just because a network is "local" does not make it "secure".
