Since generally routers are not considered a multi-user system, this normally would not be a problem. But consider that a majority of Linux security is dependant on user space separation. All it takes is for someone to find an exec exception such as the one that exists in SAMBA, and then can access everything valuable on your router, even if SAMBA is running as an unprivileged user.
I'm trying to come up with "everything valuable on your router" and drawing a blank.
If you really care about this level of security, don't use your router as a NAS. Buy a $20-$30 pogoplug and install Debian on it, and run your Samba shares on it. It'll be faster than Samba on the router, too.
I always post all my bank ATM codes on the router for safe keeping. You mean someone might be able to see them?
The most valuable thing on my router stored in nvram is of course the router configuration itself. If a user can change that, they can easily do any sort of man in the middle attach they want. However, they can also find passwords and other information, since many protocols such as my openvpn login, my fetchmail script, … does not use an protocol that allows storing just a hash instead of the actual password.
Really, once they have access to your router, they have access to everything in your subnet.
You could leave the router to do its core function and this won't be a problem.
"guest" acts like a jerk. It's a SECURITY issue. Don't act like it's not important. IT IS important. Any security issue is important. If someone is complaining it's because their data security is important to them. If you have nothing better to say just shut up.