The person who told you that is 95% correct. WPA2-PSK (e.g. if you just use a passphrase that you hand out to everyone) is not intended to offer security between users, client isolation or not. Every client has a different "pairwise" key in WPA2, but it is derived from the PSK during the 4-way handshaking process. If you witness the handshake, you know the other guy's key. So technically if the attacker just walks into a room, he can only get the keys of new associations (except that's not entirely true either -- if an existing client hops off and back on the network for whatever reason, they'll probably re-handshake).
Client isolation is mostly to prevent the annoying chatter from peer-to-peer discovery traffic between users, and to give them the illusion of being alone on the network. An attacker can still use MAC spoofing and other techniques to impersonate another client or attempt to talk to another client on the network. I would not rely on that for security.
The takeaway points I think are,
(1) Use another authentication technique (DPSK, RADIUS, etc) if it is truly important that users cannot sniff each others' traffic.
(2) Don't expect privacy for cleartext communication. Your clients' devices, if they are mobile, are probably constantly going to places with completely open networks where their data is even more easily seen by onlookers. Clients should be using a secure protocol wherever possible, and maybe even mobile VPN on demand if there's services that cannot be secured the standard way (yuck!)
