hey welcome 
for isolated networks sure this is possible 
- vlans are not needed we can just do something which is called a routed ap to make it as easy as it gets, there is also a CLI tutorial on openwrt here, though i gonna show it in luci since CLI looks much more advanced and itimidated for first users.
first lets start with the basic network first and later i'll explain ways to isolate, this highly depends in which way you want the isolation to work.
first lets begin entering luci like:
the login credentials of luci are:
username: root
password: password same as gl ui
then navigate here:
now you likely get a warning message with the title: "Network ifname configuration migration" just click continue.
now scroll down and click the button like on the screenshot:
please take a example from this image:
click on protocol and set this to static, leave device unspecified.
now it looks like this:
lets show you to make one network so you can proceed later with more
please take attention carefully, you should leave gateway and broadcast empty if you look very good you see these values are defaulted but not filled in.
now click on advanced tab:
and make sure we uncheck default gateway.
why is this needed you wonder?, to awnser that question: it is because otherwise this interface could also act as a gateway which is not what you want, because your connections should go through wwan or wan and not multiple interfaces, the gateway is basicly your internet or upstream router.
you also need a dhcp server set click on the tab DHCP Server you also have to click on a button first to have it shown like this:
now lets create the firewall zone for wlan0:
and create it like so and press enter:
now save and apply.
if we now go to:
you can see this:
if you look into the row input you see it says reject, put this into accept only for the zone wlan0 then save and apply.
depending if you want this network to have internet, click on edit and configure it like so:
this effectively means this is a traditional firewall meaning everything your devices sent towards the internet automaticly allows the other end to respond back on the other side, however it will not accept traffic when the other side first iniated the communication, this will then be dropped if you look into the wan zone with input 'drop'.
congrats!, you got your first network created lets attach this one to wireless 
lets navigate to here:
you will see something like this:
so i noticed ssids become unstable after having more than 2 per band on 2.4ghz or on 5ghz, this means you either have to sacrifice the guest wifi for the custom network you can trust me this is the easiest way, honestly i doubt guests need 5ghz 
if you want it complicated this is possible but i won't recommend it now maybe when you feel more experienced with luci and openwrt you can try to make a multi psk environment this essentially means with firmware op24 you can have multiple psk phrases on wpa2 which then redirect you to a vlan network, but then you have to learn first how vlans function and then how multi psk is defined which also needs access to the CLI (a command prompt interface or shell), for this i wrote a simple script to do the wifi part of the vlans,but you still need to configure vlans, see here.
now lets say we edit on a guest wifi lets click edit:
you want to uncheck guest and check wlan0 the new interface you created
then save and click save and apply, then restart wifi as from the previous screenshot where you clicked on edit.
so there are multiple ways of isolation some apply and some are not to your setup 
currently as how the firewall has been zoned, the zone is only allowed to talk to the internet, but not to the devices under the lan zone this can be a way of isolation you can call this zone isolation in where only network to network is isolated, this is often the most common approach for isolation.
but you can also have client to client isolation this means a client in the same network subnet cannot talk to a other client inside the same subnet and firewall zone.
currently there are two ways to reach the same goal but it can be complicated
you got hostapd's isolation, hostapd isolation is as far as i know only for wireless clients but the mistake most people make is when they have wifi + wired joined in one network, the wired clients likely can still talk to each other while the isolation is only for wireless clients, likely not a issue in your case since you want it to be fully on wifi but it is something to be aware of, it could be hostapd has been updated in the future and it now works on wired but just check this extra
to enable this you can go into the wireless settings in luci, then edit the network again as before when adding the wlan0 interface to the wireless network.
and then click here:
and then:
but what if you want also to isolate wired clients?, can iptables or nftables work?
awnser: while they are the core firewall it is not possible, however there is a package called ebtables which can do bridge isolation, and through this it is possible to isolate also wired clients.
^ this however is more complex, requires cli and you need to use ebtables -A FORWARD --logical-in wlan0 -j DROP there might be ways to add this command at startup but I think this is the best solution once wired clients also need to be in this network then hostapds method is redurant since this blocks it on layer2 i believe (I think bridges are layer2 could be mistaken)
client to client blocking is actually a pretty unique feature because its hard for firewalls to do anything client to client
and as last advise I can give is:
the web ui hosts on 0.0.0.0, basicly that means every network starting like: 192.168.10.1 as what i have given up for wlan0 will show gl ui, if you want a dodgy network you might want to go to firewall then click here:
and make a rule like:
sorry for my late response i was not home , and sorry if message is so long if you got questions feel free to ask me!