In the Cisco BCMSN Study-Guide it says that Root Guard should be applied on Access Ports at the Distribution Layer. I am a little perplexed, I thought the Distribution Layer is intended as an aggregation of Access Layer, and a translation from Layer2 to Layer3 traffic. Therefore what, if any, devices are appropriate for the Distribution Layer switches?
Your access layer may consist of dumb layer 2 switches which are not capable of trunking forcing you to use access ports in your distribution layer to put those hosts connected to those access switches in the correct vlan. For security reasons you may also want to limit the number of trunks in a network to prevent vlan hopping or double tagging attacks.