Do you have documentation to link to on the VLAN hopping issue? So far i can only find issues with RTL819xD based devices
I don't have the references stored anywhere as it's been a while since I have seen them in the wild but IIRC most cases can be found via the TL-SG101xE reference because TP-Link also uses the same reference designs and white label software. Those must have been around the RTL8367 ASIC era with 8051 CPU cores. (which ironically is better than most MIPS cores due to them being so limited that exploitation is harder)
There were two main issues and a third side-effect:
1. Some cases VLAN1 could not be removed from a port and not from the management plane, even if the UI said so.
2. Some cases all ports would start up in pass-anything mode before the VLAN table was loaded.
3. Most cases you could DoS the switch causing it to get reset by the WDT, combined with #2 you could connect to any device.
Since the devices (or rather the ASICs) are designed for home and prosumer use nobody really cares about manufacturing them to baseline security standards making them not suitable for their purpose (which is: multiple separate logical networks on the same physical hardware).
This was mostly misconfiguration in the reference design (hardware and software) which is usually how you'd find the devices to be out of the box. At some point people started rewriting the flash chips to make the ASIC boot with ports disabled, then load the user configuration and only then enable the ports, which is what it should have done to begin with. Same was done with the VLAN1 hangup, the configuration binaries could be downloaded, modified, re-checksummed and uploaded to actually disable global VLAN1 forwarding unless explicitly enabled per port.
In a way, this at least allows you to be sure of the actual configuration of the ASIC since its limited hardware (and software) makes for easy disassembly and verification for any reverse-engineer. Ironically, that makes a low-end management ASIC more transparent than a higher-end ASIC, but less useful for the general user than it should have been.