I've been working on a few Cambium cnPilot deployments lately and they recently added a very cool feature called "ePSK", which allows for one WiFi SSID to have multiple passwords, with each password being capable of putting the end device on a different VLAN. This is useful for a few reasons:
You can do that with WPA2-EAP (instead of WPA2-PSK), which is the usual way this is deployed (not depending in some specific manufacturer's method).
When you configure an access point with WPA2-EAP and you try to connect it with a client, the client will ask for a username and password instead of only a password.
You can make unique user ID's for every user and have all kinds of attributes for the users (including the VLAN), or you could decide to use the username only as a "group name" which is used by all users that need to connect to some VLAN.
The only disadvantage is that the username has to be typed in, where having different SSIDs would mean they can be selected from a list.
[*] It's more secure, as anyone with the key can decrypt traffic so giving a unique key to every user would be better for security.
That is not correct. The users connected to a single WPA2-PSK access point (with one SSID and password) do NOT all use the same key!
The key is generated during the session setup (and changed at regular intervals) so it is NOT possible to decrypt other people's traffic unless you have done some attack on that key establishment procedure.
[*] Using the ability to assign different VLANs to different passwords, you can reduce the number of SSIDs being broadcast, and therefore the amount of beacons the AP is sending out and improving performance
With WPA2-EAP you have the same advantage: you can use only a single SSID and have different networks based on the logged-in users.
Most important I think is that WPA2-EAP is standards-based rather than some trick implemented by one specific manufacturer that you try to convince another one to implement too.
(which could even run them into patent/license issues!)