I invite you to not trust blindly L2 security features, anything that use denylist approach can miss some corner cases, have a good read :) https://blog.champtar.fr/VLAN0_LLC_SNAP/
Interesting write up! I typically use multiple-WLANs as well as guest-isolation on the "guest" network which further reduces the attack surface. All of the network infra also runs on a separate management VLAN and (by default) switch ports are on the guest network so if someone randomly plugs in to a ethernet jack, they're not getting on the MGMT lan. Maybe not perfect, but certainly better than your average Comcast/Verizon/Orange/SFR setup!