Current design and user-oriented security/privacy research focuses on individual awareness, choice, and consent approaches. Despite some successes, decades of research highlights significant limitations to informed consent and usable choice approaches: policies are often ignored, overly time-consuming, and can actually decrease trust, even when they are clearly written; and privacy decisions and preferences vary widely according to experience, personality, identity, ability, and situation. These issues are further complicated by the rise of vulnerable “always-on” Internet of Things (IoT) devices, such as AI-equipped smart speakers, wearable activity trackers, and smart security cameras. Because IoT is innately physical, spatial, and distributed, these technologies affect people, communities, and activities beyond the frame of an individual primary user. Non-primary users, such as roommates, guests, neighbors, domestic workers, renters, and passers-by, are also affected—often unknowingly, with little recourse, and with great potential harms. This project combines qualitative fieldwork, participatory design activities, and design prototyping to understand diverse needs and vulnerabilities of primary and non-primary IoT users and subjects, and develop hybrid digital and physical solutions that can address the unique cybersecurity challenges of IoT.