Generally the toaster manufacturer does nothing. They either connect to your network or through to a larger network. My a/c connects through my network to it's own base. Access to it is secured by that company. I access it through my phone and can do anything you can do standing at the thermostat. Change temp, flip a/c to heat, turn fans on and off, set schedules, raise or lower humidity. My garage is the same way.
First of all, your phone is not secure. Ask BMW how well that worked out for them when they endorsed an app which allowed a phone to control their car and hackers stole hundreds of BMW's (46 in my neighborhood alone last year) by copying the cell signals and duplicating them to take control of the cars. It is not hard to do. It is a basic repeater.
Other applications used the serial number of the car as the security key and hackers just ran through them as they drove through neighborhoods watching for cars to light up. Again, not hard to do.
Basically, anything going over the air is easy to hack.
Hackers are not looking for ways to hack those IoT devices to control them. They are looking at data collection from the hacked network. Once you get into a LAN, they are mostly easy to move around in and snoop on.
Oh, you never know what devices may or may not have microphones and cameras. Most new televisions do, for example.
Mics on the devices listen but do nothing till they hear the correct phrase. For google home it is "OK Google" or "Hey Google". Then it will take that phrase through its voice recognition, which is at google. This is the same for all voice recognition devices. Even voice remotes do this off premise.
By default it listens for command or question for a very short time then reacts. You can set it so it listens after reacting for a continued conversation... another question or command.
You can have them react to every voice in your family differently. When I talk to it, any list, timers, meetings, or calls are stored on my Note 8 phone. When my wife talks it stores her items on her phone.
At any time you can go online to your private settings on google and see anything you have conversed with google home. From there you can clear it all or keep it. The purpose of this is so you can see exactly what it picks up day to day.
They are always listening. They just do not react unless they hear key phrases. You cannot know what is being recorded, or what it not being recorded without analyzing the data leaving the device. Of course, if it is over a wireless connection, then anyone can record the raw data and use it to take control of the device. It does not matter if it is encrypted, or not when it comes to using the raw data. Wireless is not secure. Never has been, never will be.