TP-Link devices have been shown to ship with backdoors baked directly into the firmware.
The TL-WDR4300 and TL-WR743ND have a special unauthenticated URL that causes the device to connect back to your IP, download a file, and execute it as root.
The TL-WA701ND and similar models create a hidden SSID that acts as an unauthenticated bridge into your network.
If you can even manage to report security issues to them, they will only patch models you specifically tell them are vulnerable. So as a researcher you have to buy one of every model to actually get things fixed.
There are thousands of issues. I updated my comment with a few examples.
They suffer from extremely poor code quality, a complete lack of understanding of security, and severe code reuse without recording what devices the code ends up in. You can take existing TP-Link exploits, poke around in a new model of device, and often find the same vulnerable endpoint under a new "hidden" URL.
Edit: to address your specific question, CVE-2021-35004 is RCE against both routers and standalone APs.
You are comparing their consumer routers to their business line-up. The management interface for the business line-up can be properly segregated onto separate VLANs to protect it.
Sadly the consumer department doesn't seem to follow the same model as their business department.
The TL-WDR4300 and TL-WR743ND have a special unauthenticated URL that causes the device to connect back to your IP, download a file, and execute it as root.
The TL-WA701ND and similar models create a hidden SSID that acts as an unauthenticated bridge into your network.
If you can even manage to report security issues to them, they will only patch models you specifically tell them are vulnerable. So as a researcher you have to buy one of every model to actually get things fixed.