We have a self-contained flat in the basement of our house that we're going to rent out again.  Previously, we've let it to friends or family and they have shared our internet.  However, with potentially strangers in there, I want to look at options to offer them internet access, but keep their access separate from ours.  The flat has it's own WAP (Cambium cnPilot E400 and one ethernet socket, both cabled back to our managed switch and router (Edgerouter Lite).  We have another couple of WAPS and lots of ethernet ports in the main house and we also use a geo-unblocking dns service on the router.

The options I see are:

1. VLAN

Set up a new SSID on the flat WAP and VLAN tag it.  I'd also, VLAN tag the port on the switch for the flat ethernet.  This would mean I'd have to get up to speed with VLAN tagging and separation rules on the ERL.  I'd probably also need to ensure the flat VLAN didn't have the geo-unblocking DNS.

2. Router Port

I could connect the flat WAP and ethernet port to Eth2 on the ERL, thus putting them on a separate subnet.  I'd have to wipe existing SSIDs off the flat WAP and replace with just the new guest SSID.  This would be simple to set up and is easy to set DNS at interface level in the ERL.  Are the subnets completely separate?

3. Separate ONT

If for some reason the tenants wanted their own router and ISP account, could I get a second port provisioned on the ONT and patch that to the ethernet to the flat.  They could then connect their own router to the flat's ethernet socket.

What are the various pros and cons of these approaches and things I might have missed or need to consider?