The feature firewall rules is not available in AP / extender mode. Therefore, access can‘t be restricted. There is no other way to block mac or ip addresses. Apart from that, to make use of a firewall rule seems to be just a workaround for me. In router mode, one can switch a segment to security-level „protected“. That does prevent access to management services of the device. This very same feature in AP / extender mode would be a much better solution. Unfortunately, it is not available in the OS in AP / extender mode right now. This was confirmed by Keenetic support.
My request was already reviewed by Keenetic support. To implement this as a new feature, they suggested to post it in the forum in order to get additional votes from other users for my request. If there is interest from other users it would help.