Without 802.1X (EAP), there isn't really a way to achieve client isolation against inside attackers who can mount mc-mitm [0] attacks against base stations and clients. The basic problem is single shared secrets that allow anyone who knows it to act as any of the participants (which also breaks privacy). Unfortunately the infrastructure for EAP is unwieldy for unmanaged devices.

The real solution is zero-trust network access which gets closer to reality with passkeys; the last mile will be internal (LAN) devices that need a way to provision trusted identities (Bluetooth proximity, QR codes, physical presence buttons, etc.). Quite a pain for smartbulbs or other numerous IoT. If ZTNA is solved then 802.1x is trivial as well for e.g. preventing bandwidth stealing.

EDIT: I guess Matter is leading the way here. I need to do some more reading/learning on that.

[0] https://www.rit.edu/wisplab/sites/rit.edu.wisplab/files/2022...