Your router’s firewall only blocks access to unauthorized ports. If your device is talking to the Internet, then that device is exposed to that connection. Your router’s firewall does not prevent your device from using an outdated and exploitable software on the Internet.

Theoretical example, your device is stuck using an old web browser for whatever reason, that browser does not have a recent patch for an exploit involving loading infected pictures. You use that device to load a website with those infected pictures and your device loads malware because of that. Now your device could become a conduit for somebody to tunnel into your home network and look for any other things to exploit, whether those devices connect to the Internet themselves or not.

Obviously, you can often update web browsers on older devices, use a fork specifically designed for older devices, etc. But there are oversights. Old Android versions can’t update Webview outside of OS updates. Webview is what apps use to load web pages inside the app, and if you’re using an old app, which uses the old Webview, to load a webpage that the owner abandoned and has been taken over by a malicious third-party, your device could be exploited just by that app loading that webpage without you meaning to.