How does Guest Network not see devices "above" the eero?

I'm a bit surprised by the behavior I'm seeing and I'd like to understand why things work the way I'm seeing them.

For a variety of reasons, my Internet connection comes into a router/firewall.  One reason is that this provides me some logging of what's coming and and going out.  The internal interface for the router uses a /24 network in the 10.x.x.x space.  The head eero is connected to this router, as is a NAS unit and a Raspberry PI.  My computers are all connecting to the eero (wirelessly or one on a wired connection) and the eeros are set to do DHCP and NAT on a different /24 also in the 10.x.x.x space.  For devices that are on the primary eero network, they can see the NAS and the Raspberry PI just fine.  I can ssh into the pi, I can access the services on the NAS.  Accessing the internet is a double NAT, but I've not seen any issues.  I'm only slightly surprised that this works, and I'm quite happy.

The real surprise is that I turned on the guest network feature and when I'm attached to that network, I get a 192.168.x.x address and I can't see the Pi or the NAS.  In my case, this is exactly the behavior I want.  The stuff on the guest network can get to the internet just fine, but not to anything else on my network, even the stuff that's outside of the eero's sphere.  But, I don't understand what the eero is doing so that the main network can see what's in my DMZ zone, but the guest network cannot.