Ah, I wasn't aware OPNsense was doing that. Certainly having multiple services running provides a larger attack surface. How are you implementing this? In jails/VMs?
At home on my OpenBSD router I'm running the local services (unbound and dhcpd) in the 'local' rdomain; the external interface runs in a separate rdomain so all routing/interaction between external and internal rdomain needs to be explicitly configured via PF.
On my main server at home as well as the "non-smartOS-hosts" in our company network, all services (e.g. 2nd DNS, nginx reverse-proxy, postgresql, zabbix, CUPS print server...) and especially all larger "services" and stuff that drags in tons of packages (nextcloud, emby...) always run in jails. This makes maintenance easier by several magnutudes. E.g. for (larger) upgrades just clone the jail and leave the original one running and unmodified until the upgrade is done & confirmed working. No more waiting for maintenace windows - swapping out the jails after upgrades takes a few seconds at most and can be easily scripted.
On our branch routers we are running smartOS as hypervisor and the dedicated WAN interface(s) is/are only connected to the VM running the OpenBSD router/firewall instance. All zones for local services are only connected to the local interfaces/VLANs they need to have access to/be accessed from.
Because smartOS always runs the hypervisor (KVM or bhyve) within a zone, if someone would manage to infiltrate the VM and break out of the hypervisor, he'd be even more confined within this almost completely empty zone...
One point (and a major one) for me is the trade-off between administration time and time spent doing more enjoyable things (homelab tinkering). How admin-intensive is that approach for your work? It's one thing to have multiple resources keeping an eye on infrastructure, and another to have one/few people doing it all while keeping track of multiple pieces, which is where consolidation/fewer pieces of infrastructure becomes attractive. I completely agree with all your points though from a security standpoint though.
I've been using jails/zones and ZFS for many years now and it *vastly* simplified maintenance, backups and day-to-day work.
Jails/zones have almost no overhead; same goes for ZFS snapshots - so you can just use them extensively and thus always have an "escape plan" at hand (even for the host thanks to boot environments).
Splitting everything up in several, well contained instances not only increases security, but also makes it easy to manage upgrades more flexible. I.e. you can keep the host and public-facing services always up-to-date but e.g. update the purely local services as you come by (which is exceptionally convenient for stuff like nextcloud or horde groupware, which blow up on updates rather regularly).
It makes it also much easier to get rid of or just try out software packages without polluting the whole host and maybe even interfering with running services.
My jailhosts usually only directly connect to the management-VLAN - other VLANs are only connected to jails running services for those networks. So there is no direct attack surface to the host from any "easily" accessible network (guests are in a completely separate VLAN and rdomain anyways).
The jailhosts also only run a minimal set of packages (vim, iocell, zfsnap, zabbix-agent, ssmtp and *maybe* a few site-specific ones), so they can be very easily rebuilt and are very low-maintenance, especially because they are following the quarterly package-branch. SmartOS is an immutable install anyways - so just plug the drives and an USB-stick containing a smartOS image in a new host and you're back in business.
Jails and zones (which includes VMs on smartOS) can be easily transferred via their zfs snapshots, which are already used for backups anyways - so I couldn't care less if a jailhost dies, as all jails can be "rebuilt" by simply zfs send|recv from the backup system to a new/existing jailhost. If you use the same notation for vlan interfaces (or just attach them to loopback interfaces) you wouldn't even have to touch the network configuration of the jails. Again - MUCH easier and sane than trying to pull config and user files from a "one-for-all" bare-metal-host...
TL;DR: using jails (and ZFS) extensively makes life much easier, upgrades very safe and increases security. Administrative overhead is minimal, especially compared to the madness of "everything on the same host".