If you don't want to go the USB route, put the printer on its own separate VLAN and/or Wifi network and filter all outbound traffic from that network at the router unless (1) part of a connection initiated from the other side and (2) aimed at another local host. Filter traffic going the other way (opening those connection) to taste - perhaps allow access only to the IPP port and certainly don't allow any inbound traffic to hit it from the wider world.
It's far from perfect - most importantly it doesn't stop manufacturers from making printers which only work if they have an always-on internet connection, and also doesn't stop a scheme where the proprietary Windows/etc drivers send the firmware as part of a print payload, but it probably works "enough" for now.
One other problem with this approach is that it isn't easily open to anyone non-technical.
Another problem is if the update is packaged in a print job, which seems to be an option according to comments here. In that case, the Internet connected computer may still be hijacked by the manufacturer to bork the printer against the customers will, by sending a malicious print job to the printer.
The driver & related crapware on your computer can push firmware update to the printer. From the perspective of your firewall, it goes the same route as a regular print job.
It's far from perfect - most importantly it doesn't stop manufacturers from making printers which only work if they have an always-on internet connection, and also doesn't stop a scheme where the proprietary Windows/etc drivers send the firmware as part of a print payload, but it probably works "enough" for now.
One other problem with this approach is that it isn't easily open to anyone non-technical.