One thing I did not write correctly, Guest mode right now denies communication between connected Wireless users. So there is at least that level of security.
I believe what he was saying is that Guest mode should include a rule that denies all traffic !out-interface=wan, and also in-interface=lan & out-interface=guest so that the guest network is unable to access the LAN side of the customer network.
Also something that I would appreciate seeing implemented as I recently had an issue where someone tried to enable the guest network and realized that it didn't restrict access to the LAN.