RV guest wifi for strangers

I'm curious is anyone has some thoughts for this scenario...

I'm travelling with my RV and camped in a remote, off-grid site. I'm well away from cell coverage and have Starlink setup as a WAN input to my Spitz AX. Another VanLifer pulls in to a spot next to me and sets up for the night. We get to talking and he asks me if he can use my wifi to get online while he's there.

I have no issue sharing my connection, and a guest network on my Spitz AX isolates my LAN devices (from the router itself to my connected devices including NAS drives). BUT, in the back of my mind, I do have reservations about what this stranger could do using my connection - from torrenting copyrighted files to downloading/uploading blatently illegal content to something else which I haven't even thought of.

My initial thought was to add a couple firewall rules to allow only http/https traffic, but this is kind of an outdated practice and would block a lot of apps from working correctly. Perhaps I can just add a blocklist of notorious websites. Or, maybe I'd be better off to just force the entire guest network through NordVPN (I've got a spare connection available).

Does anyone have any thoughts? Alternatively, is there an OpenWRT package (maybe for businesses with public wifi) that addresses these types of issues?

I would open up a Guest Wi-Fi and route it via Mullvad/NordVPN/whatever.
But it depends on the laws. Some countries allow to share Wi-Fi without being responsible.

Nice idea.

Just configure your guest network, create a WiFi QR Code, print and place it at your RV...

But I don't see how to limit the bandwidth. Maybe the parental control could help here.
I would not invite people outside my RV to my network. I like the idea.

I believe in isolation if I'm going to share with someone I know nothing about. I would use a second small router, like an AR300m16, and setup a very restrictive guest sharing network. Looking over past reported bugs on the GL iNet routers, more have been on the LAN side than the WAN side, so I'm not letting someone I do not have full trust in, directly access my core router on the LAN side.

At a minimum, I would limit the ports to just TCP 80 and 443, along with forcing a safe DNS server like Adguard's, and limiting the bandwidth. I might even go with a VPN client on the AR300m using OpenVPN, as on a AR300m, that would limit the bandwidth.