Yes, client steering is usually reliable and I honestly rarely see any issues with it. I would use it unless you see proof of issues.
Agreed on the second point about SSIDs 1 & 2 being NAT mode. NAT mode is typically a guest use case only. I would use bridge mode for employee devices.
You can tunnel SSIDs to a MX. Loosely similar to guest tunnel to a WLC. It uses a VPN tunnel. So, there is crypto overhead that impacts AP throughput. Also, you need to size the MX appropriately for the number of APs (tunnels) it will terminate. Also, you'd want to have a HA pair or primary & secondary MX to eliminate a single point of failure for guests. All of this adds up to more infrastructure, cost, and management.
If it were me I would use NAT mode for guests, along with MR firewall rules, traffic shaping, etc and keep cost lower and design more simple. I support hundreds of customers and I can only think of a couple that do guest tunneling to a MX.
Ryan If you found this post helpful, please give it
Kudos. If my answer solves your problem please click
Accept as Solution so others can benefit from it.