I am not all that familiar with the ESI redirection, so it might be a way around L2 connected clients "seeing" each other.
The other way is to create the policies on the controller. They are definitely stateful, so if you open an application for the WLAN clients, the return traffic will be allowed.
You would need to open any wired initiated traffic holes that you want (from the controller toward the WLAN clients).
Yes, there is an implicit deny all at the end of any ACL used for traffic management.