True, but not relevant. In order for internal hackers to attack you, they have to get a non-routable subnet IP by connecting to the router. Then they can use an ARP shout to build their internal routing table, and try to connect to other devices without going through the gateway.
Whut? Internal hackers? It’s a home network. If they’re already inside, it’s a moot point.
You can ARP from any machine in the network, and presuming it’s a flat architecture (no VLANs), every device on the network is going to be in the ARP table. Not hard to determine endpoint addresses at that point. Gateway isn’t an issue, because a flat network is all Layer 2. No need for routing.
You said the strong password protected the network. Ingress to a network from the Internet is done through open ports. If a port or ports is open to the Internet (e.g. 80, 443, 445, 3389), they can be accessed without using the password associated to the router.