By default the administration ports of tomato e.g. ssh and http/s are reachable from all the VLAN/WLAN configured on the router.
The credentials must be known to access the router of course but if communication is unwanted as a starter you can filter out accesses using the following script in the Administration/Scripts/Firewall page:
iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,80,443 -j REJECT
Adjust the ports above (22,80,443) if you're using non standard ones, add additional lines changing br1 if you have multiple bridges/guest VLAN
NOTE: mind not locking yourself out, you would most likely not want to filter on br0
NOTE2: This will take effect as soon as the firewall script is called next. You can force this manually with either a service firewall restart or rebooting the device.