Your router is a threat

A router is an absurdly high-value target for an Evil-Maid attack: it has the ability to see everything your network is doing (and behaviorally profile you), it can man-in-the-middle literally everything (and steal your passwords — even encrypted transport is not 100% undefeatable), it can effortlessly exfiltrate anything it sees (because it has Internet access), and more.
A router is also one of the easiest devices to compromise: It’s left alone in the open without supervision 99% of the time, and it is rarely even superficially inspected.

This isn't theoretical. Do you have a prying landlord? A cleaning service? A stalker? Occasional house parties? A suspicious neighbor? An ex with a grudge? Sketchy contractors? A local teenager who styles themselves a hacker? All of these and more can present grave threats to your digital security without you ever knowing.

If your router doesn't receive regular security updates (most do not), cracking it may not even require physical access — simply connecting to Wi-Fi and hacking it over your Intranet may be enough, likewise so for every other device on your network. Do you actually trust everyone you've ever given your Wi-Fi password to? Do you trust that your blue-waffle Internet-of-Things devices aren't compromised and capable of attacking your router next? And all of this is to say nothing of the risks of over-the-Internet hacks to unpatched routers.

Ultimately, for most people, the only thing keeping their networks safe is luck and obscurity… assuming they haven't already been pwned.

So what can you do? Well, the single biggest thing is to switch to known-maintained, open-source firmware; in practice, that generally means OpenWRT. If your router doesn't support it, get one that does. Download the right image for your router, verify the hash of your download (because router images are high-value targets), and follow the instructions for getting it onto your router. Once you have it up-and-running, you must ensure that you keep it up-to-date. And do not get clever with it: leave settings at their defaults unless you know what you are doing or the installation guide tells you to change them. Make sure to back up your settings once you have a working system.

The next biggest thing you can do is to use secure passphrases, for both your admin login and your Wi-Fi connections. Any four truly random words of reasonable length, capitalized and separated by spaces or dashes, will be tremendously strong despite being easy to remember. You must never re-use these passphrases elsewhere. And if you ever stop trusting someone who has your Wi-Fi password, you need to change that password. Here's a likely-trustworthy passphrase generator you can use.

This part sounds technical, but it must not be avoided: You need to configure, at a minimum, two VLANs, each served via separate SSID: one trusted, one untrusted. The untrusted one should have Client Isolation enabled, and it is where all your IoT devices, your smartphone(s), and your guests should live. (Note that some IoT devices may need to be able to talk to each other; you can trivially allow this by making a third VLAN just for them, or much-less-trivially by writing firewall rules.)

Put Scotch tape across an openable seam on your router and any external-facing serial/USB ports, mark that tape with permanent marker, and then take a picture of that tape. This is your tamper seal. By closely comparing your photo to the the seal, you can now verify if your device has been opened. And the existence of the seal is itself a deterrant against attackers. Make sure you check the seal after every time you have unsupervised guests over. If it's ever violated, reflash OpenWrt from scratch, and then restore your known-good backed-up settings.

If at all possible: keep your router out-of-sight. This will reduce temptations and attacks of opportunity.

The combination of the above changes should protect you from all low-skill attacks and drastically reduce the odds of successful vulnerability exploits.

That said, you can go further. If you want maximum security, your router should be in a locked rack, your system should live on encrypted storage, and your boot-chain should be cryptographically sealed and measured; moreover, your horizontal routing should be handled by a dedicated L3 switch and your Wi-Fi access by dedicated access points, so that the blast-radius of a compromised edge is severely limited. All of these are beyond the scope of what a typical home user can accomplish, but following even just the earlier advice blocks will already put you leagues ahead of most people in the world.

If you are nevertheless interested in going for an enthusiast solution, I recently wrote a series of scripts that convert a mini-PC into a secured router: SecureBoot with custom keys, full disk encryption (including /boot), TPM auto-unseal per system state, OPNsense in a virtual machine with network interface passthroughs, hosted by Ubuntu Server whose sole means of networking is a logical bridge to the guest, ZFS + RAID1 for integrity + bitrot resistance + uptime, and ZFSBootMenu for easy recovery if the ESP is damaged. With this configuration, Evil Maid attacks are more-or-less effectively limited to state-level actors.

Most people spend 10× the effort securing endpoints that are 10× less-important than their router. Don't be those people. Secure your network before everything else.