Which ports and protocols do I need to permit from my guest network to my trusted network (where Hubitat resides) so that I can:
Add new phones connected to my guest network
Detect presence of phones connected my guest network
Display dashboards on phones connected to my guest network
Dashboards are webpages, so IP addresses on your guest network and trusted network would be using http/https and their associated TCP ports, 80 and 443, to communicate with one another.
Guest user accounts can be created and registered with the hub by an admin user, as the link you posted explains. It doesn’t matter where the guest user is when that occurs.
Similarly, they don’t have to be connected to your LAN at all to login to the Hubitat mobile app. While on an isolated guest network, they won’t be able to use local dashboards without appropriate firewall rules though.
The mobile app’s presence sensing uses a geofence, which could be set, for example, with a radius that far exceeds your home’s WiFi coverage. So again, doesn’t really matter whether a phone is on a guest or trusted SSID.