Yes, you can isolate individual devices the same way you'd isolate any IPv6 device on your home network - using a firewall. Normally you would firewall away your entire home network and only open up connectivity to the devices you want.
Additionally, you can configure the firewall on the Border Router as well, which is the device that actually interfaces between Thread and other networks.
That's a shot in the dark, but I may ask it here: Do you have a simple documentation that would tell someone who knows how to route an IPV4 network and avoid the pitfalls, what is the correct way to do it in IPv6? I struggle to find a good summary of the things one needs to know
IPv6 is weird for someone coming from IPv4. Basically every IPv6 address is a public IP address. Your firewall is responsible for blocking inbound traffic from actually getting to the devices at these addresses. This replaces NAT.
So, what I do is have a default rule that blocks all IPv6 traffic inbound. Then, instead of a NAT rule, port forwarding, etc., I just allow inbound traffic on certain ports to certain addresses.
Additionally, you can configure the firewall on the Border Router as well, which is the device that actually interfaces between Thread and other networks.