@ajmxco do you happen to have a switch in place on your network?

the reason I ask is the guest network uses a VLAN to isolate from other traffic. If your switch is not preserving or setting the tag correctly then this could be the result. 
 

also you mention having device isolation on. Isolation is not the same as traditional client isolation or AP isolation options you see in other equipment.

meaning: setting a device to isolated does not segregate it and block it from talking to any other IP's besides the gateway/internet. It sets the device to only be able to talk to any OTHER devices that also have isolation cut on.

So if I have device A, B and C... and A and B have isolation cut on, but C doesn't— A and B can talk to each other, but nobody can communicate with C.

In most situations, having A and B with isolation on would mean that A can't see or talk to anyone else, B can't see or talk to anyone else... and C can't see or talk to either A or B. So it pretty much can't see anyone else... unless D joins and doesn't have isolation on... then it would be able to see and talk to D. In most implementations, client isolation applies to all devices on the SSID on which it is set. All or nothing. Each device is an island. 

In this way, the deco's version of device isolation is really the same as putting those devices on a separate SSID/guest network without actually having to put them on a different SSID/network than your other traffic. 
 

the only benefit that I could think of there is if you already had like 100 IoT devices already configured to connect to a single/main wireless network and you wanted to now segregate those devices from your personal devices without having to go and reset and reconfigure every one of the devices to connect to a different SSID which would be a huge pain. 
 

So in other words, it's pretty much dynamically putting all those now "isolated devices" on their own VLAN for security. I'm not sure on this but I also think any isolated devices can also talk to the devices on the IoT network and vice versa... and the actual guest network acts in a way that traditional AP/client isolation does. That is, anything on the guest network cannot talk to anything else- nothing else on the guest network; nothing on the main and/Or IoT networks and can't talk to any devices with isolation cut on.

The implementation is about as clear as mud. They've taken concepts and technologies that are and have been in use for a long time and sort of combined them, renamed them- usually both.. so even if you are very familiar with those things, you'll be confused by this.

So anyways -all that said I think the root of your issue is VLAN or VLAN-ish.

Edit: Confirmed with their documentation - devices that are in Isolation mode are able to talk across across all 3 networks: main, IoT and  guest. So if you have the isolation option on these devices you're having issues with, I would start by cutting that OFF and trying again.

Remember that in their implementation, there seems to be no subnetting so there is as far as I can tell, no differentiation between connected devices other than some software controls. 
 

If they're all on say 192.168.1.x, regardless of SSID, then the Deco must be the thing that keeps or allows them from talking. There is no actual "routing" in a traditional sense, that is, moving traffic between subnets via routing tables, gateways and subnet masking.