In fact, looking at my setup, I do have an additional rule which called AllowAppleTV which lets the AppleTV device connect to anyting on the untagged LAN:
Agree - this is a somewhat increased security risk, so you may not want or need this rule.
Another thing to consider is that many apple devices support AWDL (Apple Wireless Direct Link) which enables two apple devices to communicate via an ad-hoc WiFi channel. I believe this allows two apple devices (say an AppleTV and a iPhone) to communicate over bluetooth, and then send data over WiFi without involving your router at all.