A comment on the reference design: it oversells identity-based firewalling. Once you have the relevant broadcast and multicast filtering rules applied, you can indeed have clients on different VLANs on the same SSID (and VLANs that span SSIDs as well.)
We've found that being able to do the math in your head as far as knowing what policy a host is under is pretty invaluable. Having to scurry off to a management console and look up a client to see what dynamic role they are in slows diagnosis down a whole lot. It's much better if you can say "Oh, the third octet in the IP is 3, that's a professional staff member" or whatnot. Even helpdesk staff can sometimes be taught such things (depending on the quality of your helpdesk staff, this may require pavlovian techniques, but it is generally doable.)
The only real major drawback to multiple VLANs is when you want to configure AirGroup for a protocol that is hardcoded to ignore things outside what it thinks its broadcast domain is.
Of course, if you can figure out how to assign different ranges to different clients while keeping them in the same VLAN, you can have your cake and eat it too.