[rotoole]

My 2 cents:

Even w/ WPA encryption enabled, a malicious user merely needs to get the network password/access to sit on the network and sniff packets as they fly by. This could be achieved thru various network sniffing tools, or some surreptitious people hacking. So relying on encryption alone does not solve anything.

If your guest WiFi is un-encrypted, i.e. no password/WPA, there is still transport layer encryption like HTTPS, that will secure the connection between the client and server, i.e. your web browser and your bank website. HTTPS assumes that you are on an insecure connection, that's what it was designed for!

Finally, many guest networks implement client isolation, which prevents clients on the LAN from communicating directly with each other or to other private LAN's connected to the guest network. Often network admins setup wholly separate network infrastructure for guest access, totally isolating their private back office LAN from the guest LAN.

Anyways, this stuff is hard, and probably beyond the comprehension of your average business that needs to implement guest WiFi.