This probably sounds a bit overkill, but this is what I would probably do:
Run all cables back to a central secure room, maybe in a cabinet that can also be locked, so it is easy to manage/upgrade/repair, terminate everything to a patch panel, no one will be able to poke at anything. And can put on battery backup, possibly setup alerts if power goes out.
I would just stick with standard Cat6 for everything. (Cat6A is for longer 10G copper runs, no benefit for a TV)
RB4011 or RB5009 as the main router, using a short 10G DAC to connect switch to router. Will have enough performance to run Gigabit speed internet.
CRS354-48P-4S+2Q+RM to run everything. It's a bit overkill, but will leave room for expansion. Otherwise do the same with the CRS328-24P-4S+RM but will have no spare ports on the switch. Benefit also as it's all POE, you can plug in VOIP phones, IOT devices, etc... and you can monitor it.) If cost is an issue, can use the non-POE version with the passive power injectors for the APs.
cAP ac /or/ cAP XL ac for access points.
Management VLAN. (eg: 90)
VLAN for each FLAT. (eg: 10,20,30,40)
IOT VLAN for each FLAT. (eg: 11, 21, 31, 41)
TV VLAN for each FLAT. (eg: 12, 22, 32, 42)
On wireless AP ports assign Management (eg: 90, maybe also add a separate management SSID) and all wireless FLAT VLANs (eg: 10, 11, 20, 21, 30, 31, 40, 41), then add the 8 SSIDs (one for each flat, and one additional for each flat IOT) to each AP connected to their assigned VLANs. (This will allow better coverage of the whole building.)
Plug NVR directly into router.
Will take a bit of programming/fire-walling to make sure everything is secure and separate.