So the reality is to prevent RF from bleeding outside, there's one fool proof way, and one that you can try to tune and test.
First, the for sure way is to put RF shielded paint on walls and RF shielding films on the windows. This gets kind of pricey but is used by numerous high security organizations worldwide and works very well.
The other alternative is a combination of specific AP placements, adjusting AP power, and using APs with external antennas with the antennas firing in to the building away from the walls. So in most cases if RF shielding cannot be used, any perimeter APs will use either APs with narrow downfiring antennas, or APs mounting on the perimeter with directional antennas firing in towards the building coverage area. This is not a fool proof measure but with tuning, proper placement and planning, etc you can get it such that practical use of the RF outside the building is not possible.
So the first way is easy but expensive, the latter is less costly but time consuming (high labor cost). The other alternative is to do what CJoseph suggested, you can put permiter APs in their own group with some special SSID settings to put a high probe threshold. While it will keep users off, it won't stop sniffing/eavesdropping. You could also move the guest network to a BYOD CP where device registration moves them to a secure network so that per client connections are encrypted once they go through the captive portal and get onboarded into a guest role.