Jeff, I think our definitions of "straightforward" are quite different 
and you're way ahead of me.
Intent is:
- two internal firewall zones "lan" and "guest"
- "lan" firewall zone includes 3 ports of the switch and the "home" SSID on both wifi bands
- "guest" zone includes 1 port and the "guest" SSID
- traffic is allowed from guest to wan, from lan to guest but not from guest to lan
This way I can segregate a fussy wired client in the guest segment when needed.
I gave your settings a spin and, touch wood, it looks like what I wanted: the key insight is "away from vid 1 and 2". Other than that, even configuring via LUCI gives the expected result. Thanks
EDIT, adding key parts of the config to help others:
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '101'
option vid '101'
option ports '0t 1 2 3'
config switch_vlan
option device 'switch0'
option vlan '102'
option vid '102'
option ports '0t 4'
config interface 'lan'
option ifname 'eth0.101'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option stp '1'
config interface 'guest'
option type 'bridge'
option proto 'static'
option ifname 'eth0.102'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option stp '1'