We run something similar with regards to SM isolation, we take it a step further and run port isolation on our switch to prevent one AP from sending any packets to SMs on another AP. This for us is more effective then splitting into different VLANs per AP. It makes it less work, and less IP waste on the network. We have also been converting all SMs into NAT mode, we also use PowerCode, over all your network is just much more stable if customers are not able to bridge frames on your layer2.