BPDU guard would be applied to ports where we should never see a BPDU, ever.
Regarding Root Guard, if we want our core switches to the the primary and secondary candidates for root, it would be a great idea to manipulate the priorities so they would win the STP election.
If accidentally, a technician sets the priority on an access-layer switch (up on the 5th floor in the wiring closet) to have a better priority, and we want to protect the network from allowing the access-swith to become root, then on the core switches (as well as the distribution switches if we have them), we would use root guard on our core and distribution layer switch ports which are facing the access-layer switches.
We would want to look at our topology, and make sure that root guarded ports never need to be root ports as part of our failover plan, because if spanning tree decides that these guarded ports should be root ports, the ports will be blocked.
Excellent explanation Keith!
Hollywood - you set rootguard on any port where you should never see a root bridge as downstream from it. If your root is at the distribution layer, and you route between distribution and core(aka, NO L2 links) then all Access Link uplink ports should have rootguard on them.