I upgraded the router CCR1009-7G-1C-1S+, as well as all access points and the switch they are connected to (CRS328-24P-4S+), from v6 to v7.
Since I have access points with different architectures and from different generations, I have to use both the old and new CapsMan. In the previous configuration, I used two DHCP servers and two bridges isolated from each other. In CapsMan, for Wi-Fi clients, I used bridge_wifi with the 11.0 pool, while for the main local network, I used bridge_local with the 10.0 pool. This setup worked before the update, but after migrating to v7, Wi-Fi clients started receiving addresses from both pools simultaneously. Now, some users are on the 10 network, and others are on the 11 network.
I tried removing bridge_wifi and separating the local network from the Wi-Fi network via VLANs, manually configuring VLANs on the CAPs (following the official recommendation), since CAP AC devices cannot inherit the datapath from the new CapsMan. However, the result remained the same.
This is wrong (it always was, but it might accidentally work the way you expect it to). After ethernet interface is made bridge port, it must not be used as stand-alone interface any more.
If you want to use ether2 as hybrid port - untagged as part of main local network and tagged as part of wifi network, then you have to use single VLAN-aware bridge and handle tagged/untagged VLANs appropriately. Essentially the same way you have it on CAP device.
in principle each port can only be untagged member of one VLAN
each port needs pvid set (note that default setting pvid=1 is not shown in output of export)
Technically it's possible to partly violate item #1 above. Short explanation: /interface/bridge/port settings are about ingress behaviour. So setting frame-types=any or admit-only-untagged-and-priority-tagged together with pvid will cause bridge to attach tag to ingress frame without VLAN tag and used VID will be equal to pvid setting.
OTOH /interface/bridge/vlan settings are about egress behaviour. So setting bridge port as untagged member of certain LAN will allow frames with that VLAN ID to egress via that port ... and will strip VLAN tag from such frame when leaving port. In this section it is possible to set one port as untagged member of multiple VLANs ... but it's only possible to set single PVID on each port. So if setting port untagged member of multiple VLANs one creates asymmetric settings which in principle will prevent from bi-directional communication with devices beyond the port.
And recommendation: don't ever use VLAN ID 1 in any setup. Reason: it's used in default configuration which is not shown in normal export of configuration and is thus easy to miss ... default config aside, VLAN ID 1 is nothing special and is equal to other 4093 VLAN IDs. So in most cases there's no need to use VID 1 as there plenty of others to choose from.
And recommendation #2: when going the VLAN way, using bridge as hybrid port (using bridge interface directly for IP setup and as anchor for VLAN Interface) comes with a few gotchas ... so I always recommend to use bridge port as VLAN-only.