I would suggest to try to do it like this :
- Under System -> enable the "Deny local routing" (it will block communications between clients on different WLAN's)
- Under the role of the Guest SSID you add a rule with deny traffic to the Guest subnet (don't forget to exclude the Gateway and DNS in case you have them local defined)
That should provide some level of security :)