@Clive_A thanks for your reply.
Concerning hardware, would this be possible with ER7206 or referably ER8411 ?
What I would like to do, and this isn't clear, is to have fine-grained firewalling between the VLAN's.
E.g. :

Allow SSH from standard to IoT VLAN, but not the other way around.

Allow MQTT from IoT to standard VLAN.

Preferably only for specific hosts.

What I see when using GW ACL:

- In service type, I cannot create specific services (non standard ports) ?

- When using LAN --> LAN, source and destination are networks and not hosts

So from this perspecive, it seems not possible

  @Geert_V 

Router LAN to LAN ACL has two options, either close everything or open everything. so what you are trying will not work. it is strange that TP-Link has not prioritized getting this in place, it is perhaps one of the most important things a router should do, but it maybe come sometime in the future,

  @MR.S and is there an alternative in this situation ? Or is the TP-Link solution useless for more corporate oriented networks ?

  @Geert_V 

There is a solution but it is not very good, if you have an Omada switch you can do some LAN to LAN ACL on the switch.
Omada is a network for the SMB market, I would almost say SOHO/SMB, so if your company requires advanced ACL at router level, find something else.

But if I have to guess, router ACL will come with more functions. but no one knows how long it will take, now it has probably been 5 years since the first routers came to Omada and it is still not in place.

I'm not entirely sure about this, but I think you have more options with the router ACL if you run the router in stand alone. I haven't tested it since I only run in controller mode.