Your current firewall filter allows everything. The only thing you block are packets with invalid state, which in this case doesn't make anything more secure. Anyone from anywhere can establish new connections to anywhere else. Guests can access not only your other routers/modems, but also anything in main LAN. Even connections from outside would be possible if you'd have router connected directly to ISPs without other routers.
It wasn't possible before, because when you marked routing for guests, only to_WAN1 routing table was used. I don't know what's there, I assume just one default route. So it didn't work (they were not able to connect), but not because anything was blocked, but because those packets were sent to internet and therefore had no chance to reach destination (@Zacharias: I'm sure you understand that this is not proper way how to block something; my complaint about your method is not about using mangle rules instead of routing rules, that's fine, but that the end result relies on this).
The simplest way would be only block access from guests to local networks, e.g.:
/ip firewall filter
add chain=forward in-interface=private-guest-vlan dst-address=192.168.0.0/16 action=drop
But better way would be to make real firewall, which means:
- accept established, related and untracked
- drop invalid
- accept what should be allowed (LAN to all WANs, guests to WAN1, ...)
- unconditionally reject or drop the rest
And similarly for input chain, now you allow everything, but do you really want guests to be able to connect to router (WinBox, WebFig, ...)? Probably not, even if they don't know password.