So we set the SSID for LAN access to bridged mode, disabling Layer 2 LAN Isolation disabled (they should name this Layer 2 LAN Client Isolation instead).
What is happening now is we have an exchange server behind our MX on the 192.168.1.0/24 subnet. People had their phones set up to connect to it from the internet, and the MX was forwarding traffic incoming on port 443 to port 443 on the exchange server.
After Hafnium and ProxyShell attacks we decided to close port 443 on the MX by deleting the forwarding rule. So nobody could get email on their phones. Except..several phones were able to receive email while connected to a guest SSID on the MR even though the guest SSID has Deny Local LAN applied. The phones appear to be using IMAP to connect and at least one has the email server as our external IP. If, in the MR, I block any traffic on any port to our external IP, they stop receiving email.
I assume the MX recognizes that the packets destined for its external IP are ones that it will process, so it doesn't try to send them out to the internet and back in, so maybe they stay on the LAN side of the MX firewall. But when I don't have the external IP blocked, I don't understand how traffic gets to the phones when there is no forwarding rule in the MX to the exchange server.
Well, that weirdness aside, it looks like the clients on the guest SSID (10.0.0.0/8) aren't able to reach the LAN IPs (192.168.1.0/24). But it took a while to realize I had to block the external IP of the MX. I still don't know why - the MX should not have forwarded the packets to the exchange server without a forwarding rule.