At home on my OpenBSD router I'm running the local services (unbound and dhcpd) in the 'local' rdomain; the external interface runs in a separate rdomain so all routing/interaction between external and internal rdomain needs to be explicitly configured via PF.
On my main server at home as well as the "non-smartOS-hosts" in our company network, all services (e.g. 2nd DNS, nginx reverse-proxy, postgresql, zabbix, CUPS print server...) and especially all larger "services" and stuff that drags in tons of packages (nextcloud, emby...) always run in jails. This makes maintenance easier by several magnutudes. E.g. for (larger) upgrades just clone the jail and leave the original one running and unmodified until the upgrade is done & confirmed working. No more waiting for maintenace windows - swapping out the jails after upgrades takes a few seconds at most and can be easily scripted.
On our branch routers we are running smartOS as hypervisor and the dedicated WAN interface(s) is/are only connected to the VM running the OpenBSD router/firewall instance. All zones for local services are only connected to the local interfaces/VLANs they need to have access to/be accessed from.
Because smartOS always runs the hypervisor (KVM or bhyve) within a zone, if someone would manage to infiltrate the VM and break out of the hypervisor, he'd be even more confined within this almost completely empty zone...
I've been using jails/zones and ZFS for many years now and it *vastly* simplified maintenance, backups and day-to-day work.
Jails/zones have almost no overhead; same goes for ZFS snapshots - so you can just use them extensively and thus always have an "escape plan" at hand (even for the host thanks to boot environments).
Splitting everything up in several, well contained instances not only increases security, but also makes it easy to manage upgrades more flexible. I.e. you can keep the host and public-facing services always up-to-date but e.g. update the purely local services as you come by (which is exceptionally convenient for stuff like nextcloud or horde groupware, which blow up on updates rather regularly).
It makes it also much easier to get rid of or just try out software packages without polluting the whole host and maybe even interfering with running services.
My jailhosts usually only directly connect to the management-VLAN - other VLANs are only connected to jails running services for those networks. So there is no direct attack surface to the host from any "easily" accessible network (guests are in a completely separate VLAN and rdomain anyways).
The jailhosts also only run a minimal set of packages (vim, iocell, zfsnap, zabbix-agent, ssmtp and *maybe* a few site-specific ones), so they can be very easily rebuilt and are very low-maintenance, especially because they are following the quarterly package-branch. SmartOS is an immutable install anyways - so just plug the drives and an USB-stick containing a smartOS image in a new host and you're back in business.
Jails and zones (which includes VMs on smartOS) can be easily transferred via their zfs snapshots, which are already used for backups anyways - so I couldn't care less if a jailhost dies, as all jails can be "rebuilt" by simply zfs send|recv from the backup system to a new/existing jailhost. If you use the same notation for vlan interfaces (or just attach them to loopback interfaces) you wouldn't even have to touch the network configuration of the jails. Again - MUCH easier and sane than trying to pull config and user files from a "one-for-all" bare-metal-host...
TL;DR: using jails (and ZFS) extensively makes life much easier, upgrades very safe and increases security. Administrative overhead is minimal, especially compared to the madness of "everything on the same host".