Private VLANs isolate hosts within the same VLAN/subnet — isolated ports can't communicate with each other, only with promiscuous ports (the gateway/router).
PVLANs are commonly used in hosting environments — each customer's servers are isolated from others even on the same subnet. Isolated port: talks only to promiscuous. Community port: talks to same community + promiscuous. Promiscuous: talks to all. Prevents lateral movement between same-VLAN hosts without IP routing.