An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn’t consented to. The user, Harishankar, decided to block the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.
Most of them, sure. Every single one until proven otherwise, yes. Every single one, no qualifiers? No.
Brands like Shelly allow you to completely disable the cloud, which AFAIK makes them stop phoning home completely except for update checks.
I think a lot of “Home Assistant certified” brands are good privacy-wise, as that means that they don’t care about pushing you onto their proprietary cloud.