As others have suggested I think we need to tease out the details of your requirements a little more, of which, more later.
The basic question posed in the thread title "switch versus router/firewall" is a false dichotomy - you will need both (or at least the functionality of both) and there's a few variation on how it can be done. The options are confused, not least because there's "function creep" between devices - e.g. there are "switches that can route" and "routers that can switch."
"Routers" are not necessary to "do Wi-Fi." Wi-Fi is availed by something called Access Points (AP,) sometimes called Wi-Fi Access Points (WAP's.) There's a basic AP built in to the SOHO get-you-on-the-Internet omni-box often (somewhat erroneously) called a "router."
If both your networks (known as "sub-nets" in IP jargon) are going to require Wi-Fi it may be that you need multiple AP's to serve each LAN (VLAN) or AP's that can advertise multiple SSIDs bound to separate VLAN (rare in SOHO routers as Chester indicates) or possible you'll need some inter-LAN routing with ACL's (though I wouldn't do it that way.) Again, depends on the details of your requirements.
By default SOHO routers (or at least the firewalls in such devices) block all inbound connections on all ports, so you don't need to worry about doing anything "special" to avert Internet attacks. Indeed, to allow inbound connections you have to go out of your way to allow traffic in which is what "port forwarding" rules are about.
Sadly there's not much you can do about DDOS attacks as by definitions, they work by flooding the connection to you router with traffic preventing anything else "getting through." By the time DDOS traffic has reached your router, it's already "too late" to do anything about it.
Phishing works by a different "attack vector" and SOHO routers usually aren't sophisticated enough to spot it.
I submit it's bad idea to try and "reflect" attack vectors back to the originator (even if you could as it's often masqueraded to prevent detection) and instead do what you do with cold callers and the like - do nothing say nothing and just put the phone down. In data networking terms, that means silently discarding the traffic, and your (SOHO) router almost certainly does that already out of the box.
We need to understand what traffic flows you expect between your subnets (if any) as that may affect to optimum design.
Finally, with multiple subnets, one needs to consider how you get IP addresses to devices on each, especially if you intend to use DHCP. You may need multiple DHCP Servers or a DHCP Server that can serve multiple "scopes" and possibly some "DHCP Relay" agents (don't worry about all that terminology for now - the techies will understand what it all means.)
I suggest a way forward is to get you to draw out a diagram (it doesn't have to be pretty) showing each LAN/subnet you envisage (don't worry about LAN's versus VLAN's for now) what devices you envisage homed on each LAN/subnet (again, no need to list all, just show the important ones,) what traffic flows you expect between each LAN/subnet and between each LAN/subnet & the Internet, which LAN/subnet's require Wi-Fi connectivity. The we can chew the fat over that a little.
Note to self/others - if requires more than a can be satisfied with a typical SOHO setup with some port forwards, maybe an "onion layer" DMZ type design with an "inner" and "outer" subnet might be suitable and hopefully achievable with cheap SOHO gear (through possible a DD-WRT'd "inner" router so we can knock out the NAT and possibly the fwall between the internal subnets.)
ISP---RO---LAN1---RI---LAN2