It would be great if there was a way to perform local network segmentation, in addition to the existing VLAN functionality. For instance, it could be as simple as providing another toggle switch under the VLAN creation tab for the GX. So while you're creating another VLAN on your network under the GX, you would have a toggle to specify whether the current VLAN will be configured for local network traffic only with no internet access, or if it will have full network access, which is the only existing option.
Providing the ability to restrict a VLAN's access to local network only would allow business owners to further decrease their attack surface, and increase the control they have over their network and devices.