The key there is the switch does most of the work in hardware, so you can have 1G going between all ports with no CPU usage, so the internal 1G port doesn’t matter as much, and the hardware acceleration lets it efficiently handle routing across VLANs without involving much of the internal port. Those internal switches can usually handle VLANs and basic NAT nesrly entirely on its own.
With a single external 2.5G port you lose that because your traffic will have to go in the router and back out to the switch to cross VLANs, so it’s basically a 1.25G link. And it needs to be a managed switch too since the router doesn’t come with a built-in one anymore. Best you can do is software VLANs but the other device will need to also use the VLAN explicitly in that case, as there’s no switch to give you untagged ports.
They’d get sued whether they do it or not really. If they don’t they get sued by those that want privacy invasive scanning. If they do, they’re gonna get sued when they inevitably end up landing someone in hot water because they took pictures of their naked child for the doctors.
Protecting children is important but can’t come at the cost of violating everyone’s privacy and making you guilty unless proven innocent.
Meanwhile, children just keep getting shot at school and nobody wants to do anything about it, but oh no, we can’t do anything about that because muh gun rights.