VLANs allow the logical division of a physical device into multiple logical devices. If you are not connected to both VLANs in some fashion, then adding routes locally doesn't change anything since your routes would still need to point at another router or gateway device. On most VLANs, the only router/gateway device is already the configured as the default route/gateway on your system.
It is the router/gateway that makes decisions on what to route between VLANs/subnets. At this point, access can be controlled on what resources and types of traffic are allowed in and/or out of the VLAN.
VLANs can help to improve security in a number of ways, but they are not security all by themselves. There are also exploits that can allow VLAN hopping if your network is not configured correctly.
Here are a couple non-exhaustive ways that VLANs can be used to improve security:
- They limit the scope of where broadcast traffic or flooded unicast traffic is transmitted. If Host A is not on the same VLAN as Host B, it will not see any information that Host B may broadcast.
- You can create VLANs with no gateway at all, which limits a device to access only other devices in that VLAN. It also prevents access to those devices from outside the VLAN.