I have IoT devices. Are they on any botnets? I don't know, I don't spend any time checking.
You can't however initiate a connection to them from the outside(no port forwarding) and uPnP have been disabled.
Still if the manufacturer have failed somehow, and they have been infected from the factory or when they phone home, they could be running nasty stuff.