Greetings.
Our simple test configuration include two vlan interfaces assigned with two .1 IP addresses from different interior /24 subnets, and combined in a bridge group with Split Horizon enabled. There’s no L2 connectivity between this two vlans, just as planned.
The issue appears after IP packet recieved from outside, with destination of not existent interior host (not a mac or arp registry at Mikrotik atm). In that case, ARP discovery sends to both interior networks by each vlan interface independently, regardless of destination IP belongs to the single /24 subnet only. Enabling “arp-reply only” mode at vlan interfaces not hepls too.
Our router is CCR1036-12G-4S, with 6.28 firmware.
Does anybody meets the same issue, with the same firmware or another one?
It sounds like you’re assigning IP addresses to the VLAN interfaces, which are connected as ports to a bridge.
This is bad practice and don’t do it.
Whenever you assign any interface as a port to a bridge, then you should use the bridge interface as the configuration point for any higher-layer functionality (dhcp server, IP address, firewall rules, etc.)
EDIT: The reason what you’re reporting is happening is because even though the two VLANs are isloated from each other at layer 2 because of split horizon, they’re NOT isolated from the ROUTER - so they are in fact a single layer 2 broadcast domain - it’s just that some regions aren’t allowed to reach other regions. So whenever your router sends an ARP, it’s going to go out on both VLAN interfaces because they’re both in the same network.
This is normal, expected behavior. If you want 100% isolation with different IP address ranges - then just remove the bridging entirely and treat them as separate layer 3 networks AND separate layer 2 networks. I.E. - KISS principle: (keep it simple, stupid). 
The only reason we choose the “hard” way is that we got some trouble with gathering NetFlow v5 from physical interface with many vlans. And because of limitaion of 16 interfaces available to be configured as a NetFlow source, it’s not possible to use per-vlan traffic collection. But with the NetFlow enabled at the couple of bridge group interfaces, contained all our vlan interfaces, it works perfect…