You could, or probably should, accompany Internet only with Isolation on the same VLAN, and/or explicit firewall drop rules, given that all those internet only clients are placed in the same VLAN and no non-internet only resides in the same VLAN. As understand it, Isolation implicitly impose firewall rules to block inter-vlan traffic to and from that VLAN.