Client isolation on guest vlan in BATMAN mesh doesn't work

And I think I found the culprit:
This option keeps a copy of arp table on (some) nodes:
option distributed_arp_table 1
If I understand correctly what is happening here, the scanner goes through the IPs in the subnet - asking "Where's". First thing batman does is it checks the arp table it has locally - and instantly replies: "it's at 08:CD:AB:34:12". Oh, great, the scanner says - dear user, I found a device! And continues through the range.
So to keep the devices stealthy, you need to both disable the distributed arp table AND enable ap_isolation.