These Laravel features are needed only for very simple rest projects. In real life, they are not only not needed, but even interfere, since create is often called from different places and with different parameters. It's better to create a BaseModel, set $guarded = false and not worry about $fillable and $guarded. So here you can either use validor + $request->only, or a slightly modified Request, and everyone else will inherit from it. And it has a method like "$request->neededFields()" that returns only the required fields, based on array_keys($validationArray)
I hope it's clear. In a nutshell: don't use this crap.

$fillable and $guarded in the model are responsible for different functionality. I'm not a guru myself, but from practice I know that the first variable points to the fields that are necessary to create an entry in the database through ModelName::create();
In other words, it's a set of columns that don't have a default value.
$guarded - fields that should not be shown in responses from the server are listed here. For example in the controller
$user = User::find(1);
return response()->json($user);
in response, absolutely all the information from the database will go away, including the password, and so on. But if the model has
$guarded = ['password'];
then the password field will no longer be in the response.
Perhaps there are more nuances, or my opinion is wrong. I've only known Lara for a couple of weeks.

If you received data from the form, then you can throw it into the $user->fill($input) model in one fell swoop. But a hacker can replace the form variable names and you'll assign the wrong fields if everything is fillable.
you should still never pass any raw array of user controlled input into a save or update method, as any column that is not guarded may be updated.