Hmm, preventing GUEST from VPN can be solved by proper VPN policy:
And what's weird, the GUEST can talk to MAIN WiFi hosts by default (when I only want it to access one particular IP there). I described this issue in another post on this forum.
I guess I'll have to add proper firewall rules, but I worry that setting with those via LuCI will somehow be overridden by Beryl native UI in case I modify e.g. the VPN policy...