I got it to work with a little trick, using nonstandard subnet masks:

The primary router's internal LAN is set to:

 - Router IP: 192.168.1.252
 - Mask: 255.255.255.0  
(so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.255)

The secondary router is connected through its WAN port to the primary.  
Its internal LAN configuration is set to:

 - Router IP(secondary router): 192.168.1.1
 - Mask: 255.255.255.**128** (== .10000000b)   
(so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.127)

Its WAN Configuration is set to:

 - Gateway: 192.168.1.252 (The primary router)
 - Router IP: 192.168.1.249 (The secondary router's outward-facing IP)
 - Mask: 255.255.255.**248** (== .11111100b)   
(so valid IPs in this subnet are in the range 192.168.1.248-192.169.1.255)

This way, the secondary router can access the primary router, and clients connected to the secondary router can also access the primary router, and through it the internet.  

But clients on the secondary router cannot access any clients on the primary router's subnet with IPs between 192.168.1.0 and 192.168.1.128. That IP range is not forwarded by the secondary router, since that is *also* the local subnet of the secondary.


So guest mode is no longer required on the secondary router, clients on the secondary simply cannot see clients on the primary, unless those clients have an IP greater than 192.168.1.128.