I’ve done this. I have 3 subnets on a single L2 switch without vlans, and the device isolation works. There’s a few caveats:

1. I used a 4-port NIC on my router so I could have each subnet on its own interface. They all go directly into the L2 switch.
2. You can only have one DHCP server broadcasting. If you have two, there is no way of predicting which subnet you land on.
3. My guest subnet is only accessible via Wifi. I have specifically set up my access points so that a particular SSID is assigned to a particular subnet. The access point can broadcast DHCP on a single SSID.
4. My third subnet is for my security cameras. It’s IPv6-only, and each camera has a static IP address. There is no DHCP. It means my cameras never physically use the same cables as my primary LAN, although they are on the same L2 switch.

All traffic between subnets seems to go through the router, so I have some nftables rules to ensure my guest wifi can only see its own subnet and the public internet.