This is my current setup...
Is this a best practice or are there bettere ways to achieve this, maybe without a bridge and involving VLANs?
That's very similar to my configuration on my ax2 (and ac2 before that). I have two slave guest networks (one for 2GHz and one for 5GHz) which share the same security configuration profile. They're in a single guest bridge, which has its own IP, DHCP server, and filter and NAT firewall rules. I put in some forward blocks so that packets can't be routed between it and the other bridges/networks, isolating it entirely. I haven't rigorously tested it but my friends and family are trustworthy...I think...
I have a third slave network, tied off the 2GHz master, dedicated to IoT devices. As posted on another topic, I had to disable the "256" varieties of encryption as some of the IoT devices don't play nicely with them enabled. I have similar filter/NAT rules but there are two devices that I need to access from my primary wired & wireless networks so I've poked a few holes. I'd like to lock the IoT devices down to MAC addresses but it appears the access-list isn't yet functional (or I'm using it wrong) in 7.8.
So far, I'm happy with the setup.