Flaky guest account
The "guest account" has always been a mixed bag as far as security is concerned, but clearly someone has screwed up here and deserves to be spanked. A systemd-related change perhaps?
On the one hand it is a good idea that guests can use a machine without widespread access, and once they log out their own privacy is maintained by deleting the account. However, there are some aspects that are security issues (I guess why GCHQ advise disabling it):
1) If using a corporate VPN on boot, then they are in without user log in (even if internal resources should be checking credentials as well)
2) Typically the guest area is a fuse loop-back mount in /tmp but that allows execution even if /tmp has been mounted noexec, etc.
3) The implementation creates random-ish UID/GID values but on a system crash (think - person switching off machine without guest logging off) these accumulate as they don't get purged.
See also https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1604-lts where they also advise that all usual user accounts should have 'other' access removes (e.g. chmod o-rx /home/*)