Yes, tragically. Don't buy a Samsung Odyssey monitor like I did. It takes 7 button presses to change the input and there's a Disney+, Netflix, and Prime Video dedicated buttons on the remote.
Not OP but, my TV has a local api. I connected it to my network so I can control it via home assistant. That can be one reason why. Of course, its also on a VLAN that has no access to the WAN.
The Sony Bravia I have now is the first Android device I have ever owned. It is also, coincidentally, the first TV I have had to hard reboot on a regular basis because the HDMI stack keeps crashing.
I have never and will never allow this thing to go online.
If you factory reset your Bravia and then decline all the Google features (don't sign in, etc.) it's about as close to a dumb TV as you can get these days.
We're smart enough to not plug them in. Also who watches TV anyway? You can't even talk to anyone on TV like you can here. TV is stupid. Good riddance.
The first step is buying devices from reputable vendors and trustworthy resellers to minimize the likelihood of malware being pre-loaded from the factory or while in transit.
Given the size I suspect this is also a common attack vector.
Android TV devices should have their remote access features disabled if not needed, while taking them offline when not used is also an effective strategy.
Is this a thing? Why would a TV have remote access features?