I have Ubiquiti APs that run off a local UniFi VM. The APs don't have internet access and the UniFi box has only limited access to grab firmware updates. No need to trust when you can enforce limits on a separate router running a FOSS OS like opnsense.
