1st QUESTION
Little confused when you say
3rd NIC (Management Network is on the same network as Sophos LAN = home.lan = 192.168.1.0/24). I want to separate the Management network from other devices from my home.lan but my PC is on the same network and I really don't know how to do this. I don't want any device on home.lan to be able to access my management network.
If your home LAN has connections for two of the four vmnics you have (corresponding to the network 192.168.1.0/24), and that connection is common to both the Sophos LAN side and the management network of your ESXi host, then it's reachable. If you wanted to isolate your ESXi management port from anything else on your network, then put it in its own VLAN and either don't configure routing to it (just use layer 2), or configure specifically allowed routes. By the way, if two vmnics have the same network connection, it's simplest to put them as uplinks on the same vswitch to eliminate confusion.
2nd QUESTION
If you don't want your VMs (I'm assuming you're not referring to your Sophos VM when you say this) to talk outside their VLANs, then don't configure those VLANs as routable. ESXi will allow VMs common to the same VLAN to communicate but not VLAN to VLAN communication since that would have to be switch upstream.