Network discovery typically relies on multicast traffic which scope is limited.
However, according to your current settings, accessing LAN hosts by IP should be possible.
Indeed, knowing the address, it is possible to access a host on my LAN. So I guesst what I said above is true, that I need to define firewall rules to block guest access to hosts on 192.168.234.*.
uci set firewall.@forwarding[0].enabled="0"
uci -q delete firewall.guest_fwd
uci set firewall.guest_fwd="rule"
uci set firewall.guest_fwd.name="Allow-Guest-Forward"
uci set firewall.guest_fwd.src="guest"
uci set firewall.guest_fwd.dest="lan"
uci set firewall.guest_fwd.dest_ip="!192.168.234.0/24"
uci set firewall.guest_fwd.proto="all"
uci set firewall.guest_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
Isolating clients was trivial using the 3 lines Vladislav had referred to. For interested folks with the same issue, look at all posts above I marked as solution. All of these combined did the trick.
Big thanks a lot to @vgaetera and @mk24 , guest wifi is how I wanted now.
I have now just marked the first in the series of additions by Vladislav.
Interested readers need to start looking there and follow the advice from there.