He will have complete access to your whole LAN this way, this does not help in any way (aside from having firewall rules on every LAN client to reject that second subnet). For instance, try directly accessing the IP of the first router from behind the second router.
I don't know how your network is setup but I just tested mine again and they are isolated.
Primary Router: 192.168.1.1
DHCP server 192.168.100 - 119
Secondary Double NATed router
WAN Static IP 192.168.1.5
LAN IP 192.168.199.1
DHCP Server 192.168.199.100 -119
Printer on this network is 192.168.199.60
WAN access to either router is disabled for administration.
When I run a ping from a PC attached to the primary router with IP 192.168.1.100:
Pinging the printer at 192.168.199.60 No response 100% packet loss
Pinging the double NATed router at its static WAN IP 192.168.1.5 No response 100% packet loss
Reversing the test and pinging from a PC 192.168.199.200 attached to the double NATed router:
Ping primary router at 192.168.1.1 No response 100% packet loss
Ping computer at 192.168.1.100 No response 100% packet loss
Ping printer at 192.168.199.60 4 responses less than 1 ms.
So why is my setup with a double NATed setup different from your setup?
As far as I can tell my networks are separate and isolated.