Currently the Capacs I have reside on the home vlan (trusted).
Access to the Capacs is permitted via ip services - winbox non standard port and system username configuration
So I can limit winbox access to specific subnet or lanips etc…
What other security options are open to me to either put on the router or on the capac itself to limit access further.
(Rest of IP services are off). Am I missing something? Is this insecure in any way…
You can be as restrictive as you feel you need to be. What is the threat vector? Are you protecting access from neighbors (don’t have valid access credentials) or clients within (do have credentials)?
Turn the power down to prevent signals escaping the home. Use more low power units to fill in gaps.
Each SSID broadcasting in the air should only be setup as a VLAN Access Port (think of the SSID as a virtual Access Port). Understand that credentials can be shared or stolen. So, what do you want to happen when that happens? You decide how far that SSID client can go. Its not hard to get the Wi-Fi key off a PC. So, don’t allow access to your MGMT network from Wi-Fi. The MGMT network should only be accessible from wired VLANs.
Use very large passwords for Wifi, and then create QR codes so that you don’t have to type them in on mobile devices. Naturally, quests on your wifi need their own SSID (tied to a VLAN) with firewall rules controlling what they have access to.
Wifi is crackable. It broadcasts in the air. Anyone storing the signal data can someday reverse engineer it. So, don’t do anything too important over it unless that data is also encrypted within. Expect it to be crack-able in less than ten years. Yes, we are in paranoia mode, but you asked.
Greetings anav the prolific poster 
If you want to be EXTRA secure for all your wireless clients use 802.1x
The user’s identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.
In v7 of RouterOS Radius Server will be included so by using USER manage you can then add the users you want to authenticate etc.
Or if you want to run your own Radius Box I have a spare ZyXEL Radius appliance that you can buy for $100 that can handle 50 clients.
In all high security environments Radius is the methodology.
If not Radius then wpa2 and a 63 mixed character passphrase would be very expensive to break …
https://www.grc.com/passwords.htm
My questions was aimed at protecting capacs themselves not the WIFI.
Can you make that quite a bit clearer?
Protect them from what and whom?
Sorry, from being accessed directly since they are on the wired LAN.
Direct IP access seems to be non-existant - GOOD
Only access by winbox - GOOD
winbox limited by username and password - GOOD
Anything else I can do?? (dont think so being layer 2) but on router for example I can limite access to the router itself (input chain) by my IP.
Assuming there is nothing equivalent on capac as its not routing and that winbox services should suffice.