I treat the WAP as untrusted, just like I treat the internet as untrusted. When I had my first 802.11b WAP in 2000, it was directly on the Internet (ISDN, later ADSL), outside my firewall.
Until 2006 (when I started paying for the ADSL line myself), I deliberately left the WAP wide open as all my American colleagues do, to provide roaming internet access to passers-by, although such usage was very small whenever I monitored it.
It's still pretty much the same setup, except I don't keep it wide open anymore, and there's a bit of wirewalling there. Access to my LAN from the WAP goes through same checks as access to my LAN from the Internet.
I quickly discovered that visitors must only be allocated NAT'ed IP addresses. Otherwise Skype, which most of the Windows users have installed and running in the background, discovers it's got a real IP address and becomes a supernode, and quickly starts saturating my link with half the world's skype calls.