Just make sure general network (i.e home public* wifi/wired) are properly spararated from lab net, also make sure to have different mgmt net, have a different wifi/wired net just for you, monitor & firewall those correctly (including outbound connections), keep software up2date, isolate servicies, rootless & ditroless & read-only containers, and read common daily secnews (bleeping computer, hackernews, seclists & fulldisclosure, ...) you should be good.
*public in this context doesn't mean passwordless, but rather being used by others than you (wife, kids, friends)
Probably keeping stuff up2date. Yes, "99%" can be automated, but there are still annoying things like switches & APs fw, UEFI, HV OS updates which can't be sanely automated unless you are in for bricking the crap.
Bonus: proper monitoring and logging systems are just plain annoyance in general, because good ol' there are always some edge cases.