Guest Virtual Network - is very restricted - they can not ping or they can do RDP with the neighbor IP, that is the advantage of SD-Access deploying in-network with ISE, Macro, and Micro segment.
Way back there was a product in the DC environment not many deployments i have seen, called VSG, Virtual security gateway in DC, the host can not talk to each other since in Hosted environment security is very important, (later they replaced in ACI with Contracts) - same here.