everything I'm reading says the VLAN setup requires managed switches
Yes, but that's not the only thing.
"Managed" simply means it has a configuration interface of some sort, "unmanaged" does not. So unmanaged switches can't do VLAN setup simply because there's no way to configure it. If the switch had a settings screen (or even a serial port), that would by definition make it a managed one.
However, the opposite isn't always true – "managed" does not imply having VLAN support. These days most managed switches support 802.1Q VLAN tagging, but that is not a 100% guarantee. (Old switches from early 2000s would often omit this feature; they'd still be "managed" because you could configure other things...just not VLANs.)
As a quick experiment, I set up a VLAN in my home and was not able to access nor ping devices on that subnet, so it looks like managed switches are indeed required (but it's entirely possible I did something wrong if it should work with unmanaged switches).
There are two things that fully make a switch VLAN-capable:
Ability to carry VLAN-tagged traffic as-is. Most switches, even unmanaged ones, can do this just fine (the only requirement is slightly higher MTU limit).
Ability to add/remove VLAN tags, or specify which ports can receive which VLANs. This is something you configure, so by definition it requires a managed device. (But not necessarily a switch: many routers can tag/untag VLANs too, as can Linux/BSD systems.)
So if you have two devices with VLAN configuration (whether it's two managed switches, or whether it's a router and a WiFi AP), it shouldn't matter if you connect them directly or if you connect them through a reasonably recent unmanaged switch: all VLAN tags will just go through as-is.
Again, what unmanaged switches cannot do is add/remove VLAN tags, or specify which ports can receive which VLANs. All ports are equivalent on an unmanaged switch. Therefore managed switches are required at any spot where different ports need different VLAN rights.
But in practice, if all your IoT things are wireless, and the only wired devices are a) LAN devices and b) multi-SSID (VLAN-capable) Wi-Fi access points, then you can get away with only unmanaged switches most of the time. That's because the Wi-Fi access points themselves will enforce VLAN tags (they have to), and PCs will just ignore the tagged packets.
(Mostly. Windows PCs with Intel Ethernet cards will treat tagged packets as if they were untagged. This causes problems when trying to deploy IPv6 on a tagged VLAN.)
but my question is about the wireless routers. I am using a mesh setup from Asus and I see nothing in their documentation to indicate managed or unmanaged, so I will assume that means they are unmanaged
They're probably just access points; not routers. (The name "wireless router" originally meant a wired router that also had Wi-Fi access-point capabilities.)
They're managed devices, because they provide some means to change the Wi-Fi settings (e.g. change the SSID or PSK). But once again, "managed" does not imply "VLAN-capable", and from a quick search it seems that ASUS AiMesh devices do not support VLANs at all. (You could still put them all in a single VLAN and they'd work the same as always... but you cannot have multiple SSIDs with different VLANs.)
So in conclusion, if you want separation for Wi-Fi PCs and Wi-Fi IoT stuff, you will at minimum need either:
a) one set of Wi-Fi access points with VLAN tagging and multi-SSID capabilities (which will enforce the separation themselves), or
b) two sets of "normal" (non-VLAN) Wi-Fi access points, one for each SSID, and a
managed VLAN-capable switch to enforce the VLAN separation everywhere the Wi-Fi APs are connected.
Option a) would be cleaner, IMHO.
