Route the end users and do not bridge them. Problem solved before it exists.
Agreed - the more you break up your layer2 broadcast domains, the better off you will be and the more impervious to these layer2 issues your network will be.
Even if you go with the extreme case where each individual AP is a router (not just a bridging AP) then you can completely eliminate the chance for such things by disallowing client-to-client communication on the SSID (In Mikrotik, default-forward=no / in Ubiquiti, it's called client isolation). If you use Mikrotik bridges, you can limit the "east/west" traffic by using split-horizon functionality. In the ports menu, simply set a horizon value on ports where you want this. All ports with the same horizon number will be blocked from communicating with each other.
In the end, I agree with Eggplant that limiting the scope of your layer2 domain is the best way to set up a network.