Aesmith’s point is crucial of course.
The ZyXEL NWA3560-N WAPs, which I am using, have two separate functions: (i) isolate wireless stations from one-another, and (ii) a L2 isolation ACL feature which allows you to say “not allowed to talk to any wired or wireless node with the exception of x or y or z …” and you need this because if you want a particular node to be able to talk to the internet it will need to be able to talk to the default gateway ie the router and to a DHCP server, on-lan DNS server if applicable, and so on.