Guest is very restrictive.
I would suggest DMZ is better suited for your purposes...it will have internet access but will not be able to access the LAN
What about the private network being able to access the DMZ? If I use separate address space and don't configure NAT, will it effectively be isolated, or does the DMZ network type automagically allow those connections to work?
The unit automatically allows Private LAN networks to have full access to DMZ's networks.
Right, but as this will be used as a guest network, I don't want the LAN to have access.
A packet filter rule will achieve what you want
all settings defaults except
name: Block LAN to DMZ
Incoming Interface: Any LAN interface
Outgoing Interface: Any DMZ interface