I’d start with the assumption that any reasonably priced camera (and a downright shameful percentage of the ‘oh-so-fancy-and-expensive’ ones) is simply broken beyond any repair that you could DIY or that the manufacturer is competent and motivated enough to do. Some are more broken than others; but it simply isn’t a safe assumption that any of them can be trusted on the public internet.
On the LAN side, it’s more a matter of your paranoia; but a second router (or a more sophisticated model with support for multipl SSIDs and VLANs, your call) is pretty cheap. Given the risk of compromised hosts on your LAN (either yours, after a spot of bad browsing luck, or god-knows-what from friends/relatives who want to get on the internet), why risk it over $50?
So, all cameras on their own dedicated network (if you went with two routers) or on their own VLAN (if you went with one more sophisticated one). Access to that network should be only through an SSH tunnel or VPN(SSH tunnels are a bit more elegant, since you can tunnel individual ports; but are less well supported on non-unixlike systems, while VPNs are a bit clunkier, since they tunnel everything; but basically all OSes, even mobile ones, support a variety of VPN options.
If you go with SSH, any router that supports OpenWRT should be ready to go once you configure the SSH daemon correctly (keypair auth is best. If you must use a password, make it good). If you want a VPN, you’ll need to do some additional work this is one implementation.
Unless you have a static IP, you’ll also need dynDNS so that you can actually find your network, any router supported by OpenWRT can handle this, a surprising number of proprietary vendor firmwares can as well. Once that is set, you either SSH tunnel or VPN connect to the router handling your cameras, and away you go.
It doesn’t hurt to do what you can with the cameras’ “security” settings, setting passwords, updating firmware, etc. probably won’t make them worse; but is largely secondary. In case any of the cameras you buy try to do something fancy (eg. tunneling back to the mothership so that the vendor can offer a ‘super-convenient’ “cloud monitoring” account or some nonsense like that), it would probably also be a good idea to configure the firewall rules on your camera router to explicitly reject all incoming and outgoing traffic except your SSH or VPN. You don’t want the cameras doing anything stupid.
As for local connectivity, WPA2-AES (Probably just PSK, Radius is a pain in the ass unless you’ve got a lot of clients to deal with) on the wireless, reasonable caution on anything hardwired(albeit mostly out of concern for weather and squirrels and stuff, if you have ninjas tapping your ethernet cables physically, you have other problems…)