Watch out for those TP-Link switches.
They used to have Vlan1 connected to all ports (non removable) , causing nasty leaks.
My favorite priced sattelite switch are D-Link DGS-1100-08 and the '08P for my PoE AP's
My favorite priced "Core" is D-Link DGS-1210-28 (Can do .1x and MAC filtering)
I'm using a pfSense box as my L3 firewall (Router) , and currently have 14 Vlans

I have spread my vlans over 3 physical firewall interfaces, and it performs nice.
I took the firewall route when ransomware became widespread, and the wife still "clicking on everything" on her phone/pc.
Using linux for fileservers , i can make the picture shares read-only based on vlan ip range.
So she can still see (read) pics, but not write (destroy).
Several of my sattelite switches are "Tailed" of another sattelite switch ... Not optimal , but saves me on cabling.
And BW hasn't been an issue yet (1Gb).
If you don't define unused vlans on a trunk, you're preventing unneeded L2 traffic.
I see a lot of "Critical reported UI bugs" with NetGear ... Be aware, and update.
/Bingo