Most IoT devices don't need to talk to the entire Internet. At most, they need to phone home to a few servers made by the device manufacturer. So build a protocol in which devices identify themselves, and after authorization the home router then downloads a signed ruleset. If the device is later compromised, the DDoS traffic is blocked and reported somewhere.
Yes, there are quite a few details to work through to reduce the risk of this being spoofed, and dealing with legacy devices, but in principle this could work and wouldn't be too difficult for manufacturers to implement.