Firewall rules on interfaces in pfSense always apply to traffic coming into that interface. What you are describing sounds like outgoing traffic, i.e. traffic comes in on another interface (say, VLAN 5, I’ll use this throughout my post) and is destined for VLAN 10. On the interface for VLAN 5, a rule will decide whether to “let the the traffic out” of the interface and continue on its route.
Therefore, by default, no traffic coming in on VLAN 5 (or any interface, really) can go to VLAN 10 because the default behavior is to drop traffic that is not explicitely allowed. That means if traffic can currently get from VLAN 5 to VLAN 10, there must be a rule on the VLAN 5 interface allowing that traffic (or a floating or interface group rule). In this case you should check your rules.
You probably have a rule to allow internet access for clients in VLAN 5. Depending on how you have set that up, this migt be where your misconfiguration is. If your rule is setup like
pass from VLAN5_NET to *, i.e. with a wildcard destination, that includes the VLAN 10 net! What I like to do to go around this problem is to have an alias called “private_networks” which includes the following networks defined by the IETF:
My “allow internet” rule is then defined as
pass from VLAN5_NET to !private_networks, i.e. using the inverted alias as the destination. That allows clients to access the internet, but not any other local subnets.