Saying a device is not connected to the Internet because it has a firewall is completely inaccurate and deceptive; all devices connected to the Internet should have a firewall, if not multiple layers of them.

Connecting to their local secure network is and pretending it is without even a modem, is pretty shifty as well. It takes one infected computer on their secure network to open the whole network to outside access. For many things, having a secure network may be required, but they better do everything just right to keep it secure. When they mention "air-gapped" you start getting a better feeling about it...until you find out how they bring data in and out of their air-gapped secure network. Your secure network is only as secure as its weakest link.

Yet, not mentioned is the frequently acceptable security use of using VPNs, which muddy this concept. Many times IoT, devices, and even critical infrastructure will connect through the Internet, like from a cellular module, back to a central control office or server location's secure network. This is frequently done through encrypted and authenticated network tunnels, such as with a VPN. This practice, while going through the Internet, is generally expected to be a safe way to securely connect a device that is very far away, back to a secure network or server.

While this can be done securely by today's standards, you open yourself to more attack surface, give lots of room to screw up, and honestly, today's standards are always tomorrow's failures.

This is why something extremely critical...should simply not be connected to the Internet or any network.