Can we have the Kids Control blocking LAN access also? Ideally for each kid we should be able to choose to block either WAN or LAN, or both.
The other day I had one device being blocked using Kids Control but only realised later it only blocks WAN but not LAN. This was not an intuitive behaviour - my kid just kept watching self-hosted Plex on LAN. I scratched my head as I assumed it block both WAN and LAN.
If you want that your router blocks access from your child's device to other devices in LAN, then it's best that you first place the kid's device in a separate VLAN, different than the VLAN where Plex is located. Access control would be much easier using the normal firewall.
If the devices are in the same VLAN (same Layer 2) then normally blocking is more difficult, because you'll have to block at the switching level:
If using WiFi then the Access Point may have a "Client Device Isolation" feature that you can use, but normally the feature is not dynamic (may not be able to turn on/off based on schedule or client device).
If there are intermediate switches that both the kid's device and Plex are connected to, then those switches need to be managed switched (not dumb switches) that support port isolation.
If the router sits between the kid's device and the Plex machine, then you can use the router to filter layer 2 traffic on the bridge, by either writing switch rules or turn on Use IP Firewall in the bridge settings (but this is not good for performance).
In short, it's preferable that you put the devices in different VLANs, if that's possible. If the kid's devices use WiFi, you might think about investing in access points that support PPSK and/or WPA2/3 Enterprise. That will allow you to put individual WiFi client devices in individual separate VLANs that you can place custom limitations on. And it's totally unaffected by the "randomize MAC address" feature of current mobile operating systems. If you have multiple children, you can give each one of them an account (a separate VLAN) with different limitations.