I did enough poking around to figure out the way everything was connected. And it seems I was the only one since there was some potential for mischief but luckily nobody had the motivation or reason to explore as much as I did.

In each of the 128 apartments:

• Two proprietary closed-source PLCs that control all the relays; they are controlled via ethernet and have hardcoded static IPs
• A Wi-Fi router/access point with a custom configuration to tie together all network devices in the apartment and connect all apartments to the IP doorbells of the building's entrances as well as the weather station on the roof using an internal LAN. It has a static IP inside the apartment and one obtained by DHCP from the "master router" for the whole building.
  Note: This router does not provide general internet access - each tenant is supposed to utilize the FTTH cabling and get their own separate network equipment for that. (Which is fine.)
• An Android-based wall-mounted tablet that connects wirelessly to the hidden SSID provided by the router/access point - also configured with a static internal IP address.

In the common areas of the building:

• Enough LAN switches to connect all apartments to a common internal network
• A "master router" that gives out DHCP IPs for the internal network and also provides some limited internet connectivity

And boy, this "limited internet connectivity" was a hack job:

• It passed through some whitelisted IP ranges so the weather forecast Android app would get data.
  In the years to come, I would become the "unofficial" maintainer of the whole system and would periodically fix the whitelist when the provider changed server infrastructure - but after so many years, the outdated weather app would stop working on Android 4.2/4.4 based tablets and the weather forecast is no longer available.
• The presence of TeamViewer server on all the tablets also implied that the vendor implemented it as a rudimentary remote control system - those neighbors who figured it out could for a time enjoy controlling everything remotely.
  This too, relied on a hardcoded IP range whitelist. But what failed first was TeamViewer stopped supporting the outdated server app on Android 4.2/4.4 and remote control capabilities were lost.
• I later also discovered the vendor set up a VPN client on the "master router" so they could tweak the system remotely, and they also left the web interface (though password protected) exposed to the internet :-O Once I gained access to it (sanctioned by the tenant association), I promptly fixed that.