Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".

As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.

Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.

Sticking it on a VLAN only controls access, not data secrecy.

A VLAN buys you time, not trust. Give a printer its own seprate segment and six months later you've got ad hoc firewall exceptions for scans, updates, vendor support, and some test VM nobody remmebered to remove. TLS is boring, and that's the point: it fails closed, while network policy drifts until the weird exception becomes the default.