CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I have a new Orbi and see the same problem with the current s/w (2.1.1.16).

My Orbi is in AP mode sitting behind a Cisco RV325 router that provides better security, plus VLANs used for wired IOT devices (amazingly I have three of these).

I enabled a Guest network and did NOT check the "enable guests to see...".  I connect to the Guest network with my phone and run a scan and I can see all the devices on the primary network.  Access to some devices was blocked (e.g., Epson printer), but access to other devices (e.g., router) was possible.

This is NOT a secure Guest network.  Odd, because certainly NetGear knows how to do this right.  It could be done with VLAN tagging from the primary router, it could be done with a separate address space entirely (e.g., 10.x.x.x), etc.

Netgear has a real opportunity to meet a very real consumer need:

a) primary wifi network for home users.

b) guest wifi network for general use (that works as advertised, but not as implemented)

c) secure secondary wifi network for IOT devices which isolates every device from every other device and from the primary network.

d) secure wired network (at least one port which can be connected to switch) for wired IOT devices (pool, garage door opener, window shades, etc.) isolated from all other devices and networks.

These are de facto VLANs, though I understand that they can't be presented as VLANs for consumers.  But that is the need and certainly Netgear has the ability to provide the functionality and then package it as something more consumer friendly.

But for now they have not done that and the Guest network is not secure.