I guess one option would be to have several layers of NAT – an inner citadel for stuff you really trust, and then one or two outer courtyards/baillies for things you’re less sure about, until eventually you get to the outside world. Anything on the inside could access the outer layers, but not the other way round.

Not as flexible as a general set of multiple subnets, but easy to set up…?