Well, it’s always reasonable to scale your security effort to the value of the thing that you are protecting, but if someone can intercept your wifi radio signal and penetrate your wifi security (which ranges from trivial to fairly hard, depending on your choice of wifi options), then that person could either monitor the activity (read sensor values and commands being issued); or could join your network and issue new commands to your devices; or could overpower your wifi AP and take sole control of your device.
I’ll be the first to admit that this is very unlikely because the devices are a) obscure (custom) and b) low value (not much gained through penetration), but depending on wifi security alone is a fairly very weak way to secure IoT devices. At a minimum, that should be combined with SSL, and preferably with mutual authentication too (that is, your devices knows via SSL attestations that it is talking to the right service host, but does your service know that it is talking to the correct device? That requires client attestations.)
I get that this is homebrew stuff, and I have and would make the same choices you are for one-off/homebrew projects, but I didn’t want to let the original “internal == secure” assertion stand.