(Please see my updated answer)
TL;DR: As a GM, I would call that the Technomancer is right, and the GM should rethink hacking devices slaved to hosts. If a device is wireless, you can hack it like normal, using the host's rating as a firewall (unless you have DNI, and then you just attack it directly). Just like a PAN, devices are still visible to the Matrix even when slaved. Icons in the host are assumed (by me) to be virtual. Look at the Dante's Inferno example if you want to know why I assume so.
I've been searching for prime book examples, but it's hard to find it spelled out. So, below is the research I did, followed by my conclusion.
First, on 216:
wide area network: A set of devices slaved to a host.
This sets what we already know: You can slave a device to a host. I wanna make sure we define what a host is, so on page 219 we find:
Hosts are virtual places you can go in the Matrix. They have no physical location, being made up of the stuff of the Matrix itself.
Simple enough, right? Hosts are servers on the cloud.
I found this bit at the top of 221 interesting:
High-class hosts advertise "No public-grid connections allowed" to show how their clientele are elite.
Alright, so we've established that hosts can block people who are connecting from certain grids.
Page 224 has an example of attacking a host, but using a DNI and connecting directly to an offending unit. But they do say this:
He ignores the bank's firewalls surrounding the lock, attacking the lock through his direct link.
This tells me he has the option of hacking the lock using the Matrix, but he'd have to go against the firewall. Instead, he's using a DNI, so no firewall. And he's not even on the host yet. Key piece of data there, but let's read on to see what else we can find.
I found a bunch more relating to the effects of attacking hosts, but that's not needed. Hmm, what else.
Ah, on page 233:
There are risks to slaving devices. Because of the tight connections between the devices, if you get a mark on a slave you also get a mark on the master. This happens even if the slave was marked through a direct connection, so be careful about who you give your slaved devices to. This doesn’t work both ways; if you fail a Sleaze action against a slaved device, only the device’s owner gets the mark on you, not the master too.
There are also wide area networks, or WANs, with multiple devices slaved to a host. A host can have a practically unlimited number of devices slaved to it, but because of the direct connection hack you rarely see more devices than can be protected physically. If you are in a host that has a WAN, you are considered directly connected to all devices in the WAN.
So, we've established that devices can be slaved to a host via a WAN. Alright. And it looks like you CAN attack a device without being on the WAN, as per the example, but you'd have to go through the host's firewall. Alright. And if you get a hit, you get a hit on the host, of course. Let's keep going just in case, but right now it's looking like the GM might need to rethink the rules. But, let's read on, I know there's more:
Page 236 gives us:
If you can show a device or host or whatever that you have the right mark, you can go where you want to go.
And later:
There are three ways to get a mark on an icon. The first is the legitimate way: the icon invites you to add a mark. For example, when you pay the cover to get into the host of Dante's Inferno, the host sends you an invite to mark it so you can enter and join the party. The other two ways are by hacking, both Matrix actions: Brute Force (the loud way) or Hack on the Fly (the sneaky way).
So accessing the host requires that you have a mark. But the previous example implies, to me, that you didn't have to have access to the host to hack the maglock. So far it all seems in line.
Page 239 has the Enter/Exit Host action, which requires a mark on the host. So, you'd have to be able to hack the host before you can get inside. And since slaved devices are hackable points, that tells me, still, you don't have to be on the host to hack the devices.
Page 246 says:
Each host is on a specific grid. Like the rest of the Matrix, a host can be accessed from any grid.
So, there's that. I guess hosts can ban people from a certain grid, but you can still hack into it from the public grid. You just won't be invited. But wait! I found a section about icons being drawn into the host!
Page 246 also said:
The virtual space inside a host is separate from the outside grid. When you’re outside of a host, you can’t interact directly with icons inside it, although you can still send messages, make commcalls, and that sort of thing. Once you’re inside, you can see and interact with icons inside the host, but not outside (with the same caveat for messages, calls, etc.).
The thing I want to point out is that there's no mentioning of hosts being able to put their slaved device icons internal, because these are physical devices and they're just being slaved. So, if the device is wireless, then you can hack it. If it isn't, you need a DNI or access to the host.
Best Answer
It would be kind of silly if you couldn't group up devices like that. If you think about it, modern networks work very much like this. Take a modern-day setup. We have companies with servers that all slave a number of computers to themselves. Those computers, in turn, will slave other devices (such as flash drives, mice, keyboards, monitors, ect.)
Your rational is correct. You can, indeed, create groups of devices, slave them to a commlink, and then have the decker slave the commlinks to himself. This creates a mobile PAN (personal area network) mesh that the decker can more easily police and protect, since he's the first thing an enemy hacker has to get through. There are, of course, problems with this setup.
The biggest flaw to this setup is what happens when someone DOES make it through your detection and firewall unchecked? The answer? They now have EVERY piece of hardware your entire team owns at their fingertips. And until you can get them out of your node, they can choose to screw with any of the devices. Normally, if they want to hack the street sam, they'd need to be within range and hack their commlink separately. It's easier, but that's multiple points of failure, since the enemy hacker can't get to anyone else on your team through the sam. With you protecting the group, you're more likely to catch any intrusion, but if you fail, the enemy hacker now has three marks on your entire team and hilarity can ensue (read: bad things for your team).
Generally, you want to protect all of your party members and slave all of their devices to your deck. Period. There is no reason NOT to do this, honestly. The chances that you'll miss a hacker in your system are pretty low anyways, and even if you do miss them, rebooting your deck will sever the connection and erase the hacker's marks on your deck, forcing the enemy hacker to have to start again on someone else's device.