I assume it is rate limited in some way
Just to clarify, it is rate limited in the same way your existing connection is (though likely more so)
Docsis 3 configured with 4096 QAM can push 10 gbps down and 1 gbps up the coax.
Out of that, your service will be allocated some bandwidth over a number of channels, depending on what the ISP feels like offering and how much you are paying them. In the US, lets say you get a 20mbps down package (For our UK friends, pretend it's 100mbps down) - and that is your rate limit.
Now they can allocate a new channel for the other virtual circuit. This is equivilent to having two people in your house each subscribing to the same cable ISP and having their own cable modem on the wire.
Short of massive bandwidth packages requiring many channels, both modems can live and operate quite happily on the same coax, each tuned to a different channel. (Only if multiple channels are bonded to give more bandwidth are dedicated coax runs involved)
In this case, there is a channel your modem uses for your own service, capped at whatever you pay for.
There is a seperate channel the modem also tunes to and sends to the wifi access point built in, that other subscribers can login to.
This unrelated channel will also be capped, and likely much lower than your own service.
That channel is bound to a virtual circuit that isn't under your name, and shows as a dialup pool or the like, where radius logs can link usernames and login times with DHCP logs and the IP(s) being used by whom.
In both cases, a metric crapton of unused and unallocated bandwidth over the coax is sitting there idle. Instead of 10000-20 mbps unused, there will be something like 10000-20-5 (or whatever they end up allocating the wifi)
The bottle necks are further up stream within the ISP network (typically at their edge routers, which link them to other networks) - no longer at the last mile.
In fact the only difference between two virtual circuits terminating in the same modem (one going to ethernet and wifi radio 1 for you, the other going to wifi radio 2 for others) is the hardware being used to do it.
Accounting, bandwidth, and cost wise there is no difference between this setup, and both you and the person next door subscribing to the same ISP.
As far as the network itself goes, this is already a well known and quite solved problem, and has been going on for decades.
The only real concern is the piece of hardware servicing these two circuits in the same software stack. Any security flaws that would let one circuit route to another in any way differently than if they were separate routers would be a "very bad thing"(tm)
Right now I can only reach you over the network by that ethernet jack in the cable modem, that your firewall names "the outside". Any packets I send must abide by your firewall rules to make it through.
A flaw in the router might possibly allow routing between wifi radio 2 and ethernet/wifi radio 1 in a different way than from coax to ethernet/wifi radio 1 and coax to wifi radio 2.
Imagine iptables setup on a machine with 3 ethernet jacks. #1 is ISP, #2 is you, and #3 is the roommate. Packets from #3 to #2 should NOT flow if they wouldn't also be able to go from #1 to #2, or from #1 to #3 even.
Docsis even provides security features where all the cable modems on the same coax can only communicate with the CMTS. You and the person next door, or even the room mate in the same house, willingly communicating over the network will route packets from you out to the cable co and back to the same house to the room mate. Replies take the same long path back. Each cable modem encrypts using unique keys.
Having two such encryption channels in the same cable modem is part of the 3.1 spec at least, so this is more like using an existing feature instead of inventing a brand new home grown solution out of a linux box with multiple network adapters.
(Which I'm not knocking! But sometimes carrier grade router gear is the better bet, and with the public masses involved this would be one of those times)
Some also question the competence of the IT staff comcast chooses to retain, and question if they are capable of realizing such a problem exists as well as can apply the industry standard "fix" defined in the 80s (ie correct filtering rules on the correct interfaces)
There are a number of ways to do this setup properly and securely. But this is comcast here, not the network professionals.