For me it was either not wanting to deal with this too much (ensure they remain safe through time), or also being too paranoid (what if the NVR pivots or has a SIM card? / what if there's a CORS endpoint that triggers when I visit news-website.com from a device with access to the camera VLAN).