When in doubt, I take for granted that every camera with closed firmware contains malware that phones home or waits dormant to be used to steal sensitive video+audio or to take part in a botnet, which already happened several times. The solution as of today is to put a firewall in between that blocks any traffic to the LAN and from the outside, except from trusted applications. There are many multi ETH port mini PCs that can be repurposed as firewalls so that the video surveillance subnet can be physically separated from the rest by connecting all cameras (for obvious reasons I wouldn't take WiFi into consideration) to a switch, possibly with PoE support.