You would probably want three vlans. One VLAN for resources (printing and servers), a second VLAN as the standard data VLAN, and a third VLAN for Kid Data. Uplinks between network devices should be untagged, hosts should be tagged for their appropriate vlan. At the core you these three VLANs should be untagged for the ports going to resources (printing and servers) and the internet… It’s best practice to not use VLAN 1… but in your situation the network is probably not a target of threat actors. The WiFi networks can be added to the main data vlan. If you need the SSIDs separated, the. Make a fourth VLAN for the secondary SSID. These VLANs just need to cross over to whatever resources they need. This can be done with routing or just simple vlan tags on your L3 device…
in general, if you want to separate networks vlans would be required so a managed switch, and if one wants security, get a firewall something like pfsense
Why do i need managed switch for in this setup? I mean ERX can create and manage VLANS, unifi can add tags to its wifi networks so why additional device is needed here?