Just keep in mind that just like CCTV cameras, you really don't want to give your thermostat access to the internet or expose it to remote access from the internet by port forwarding. This is another use case for a self-hosted VPN. If you can use a mobile device to control the thermostat while on your local network, a VPN will allow you to control it remotely as well. This means a cloud service or subscription is not needed or really wanted.
There is no port forwarding required for remote access to Ecobee thermostats. They must have their own proprietary access methods built into the product for support purposes...but who knows. I can use the Ecobee app to see and control the thermostats remotely as well.
That's not just correct of Ecobee, but of Nest, Resideo, and all of the other easily obtained residential thermostats; they use a token/certificate based modern auth and open a stateful connection to a cloud service for remote management, and have zero local control and zero ports to open. This also makes them a bit slow to respond to commands, but it's a thermostat, a few seconds or even a minute shouldn't matter. They should still be isolated on an VLAN with only internet access, along with any other cloud-only devices, but their architecture makes them very difficult to attack and very difficult to start lateral movement from. They are all cloud dependent for remote control, but Resideo is the only one of the major three that is designed to work fully offline for an indefinite period of time (they're a spin-off of Honeywell).
The type that require port forwarding and management like an IP camera requires are rare (though not unheard of) in the residential space and are mostly used in commercial applications. Carrier, Schneider, and some others make them, they are for large multi-zoned systems to be managed via a larger BMS system. They are de facto an IP based version of the Z-Wave thermostats for when the facility is too large for Z-Wave, or some new multi-zone installs that require coordination between the tstats and a central controller - direct control, managed firmware, and no cloud control. The only residential installs of these I've seen have been alongside a Crestron system, and if you have one of those you're not asking for advice here.
As mentioned above, my personal choice was to use Z-Wave with a central controller, but if you're not going to install a central HA controller at any point in the future, it's a better choice to get a good WiFi thermostat, and just replace it periodically when they stop providing security patches for it.