In the docs it says
All packets are IPIP encapsulated in tunnel mode... If you do not use tunnel mode (id est you use transport mode), then only packets whose source and destination addresses are the same as sa-src-address and sa-dst-address can be processed by this policy. Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts that established security associations). To encrypt traffic between networks (or a network and a host) you have to use tunnel mode.
( IPsec - RouterOS - MikroTik Documentation )
So does this mean you create a policy in transport mode for two IKE daemons for Phase1/Phase2?
What is the practical use-case for transport mode under /ip/ipsec/policy?
ipsec is more than a vpn protocol. What they wanted to say by that paragraph is probably that tunnel mode encapsulates the packet that is going to be encrypted to sa-dst-address in a "invisible" ipip packet. this is needed since else the actual source and destination address would be lost.
simple example: you have a site to site vpn between two routers 100.0.0.1 with network 192.168.1.0/24 and 100.0.0.2 with network 192.168.2.0/24.
If a host sends a packet from 192.168.2.2 to 192.168.1.2, that packet must be encapsulated, sent to 100.0.0.1, on that router deencapsulated and sent to 192.168.1.2
I'm going a few steps back:
sa-src and sa-dst are the two ipsec endpoints. if you are using transport mode with protocol=all, every packet between this two hosts will be encrypted. A usecase might encrypting port 80/http in a world where tls is not invented. In this case this is not a vpn in the sense that additional ip addresses are around. Its simply an encryption layer between layer 3 and 4.
What I use it for is encrypting gre packets (GRE - RouterOS - MikroTik Documentation). Over gre interfaces ospf is possible so I only need to setup one ipsec transport policy and I can freely add subnet on both sides without the need to adding and removing policies. In this case IPsec is actually not the component that makes the vpn, but gre. Since gre has no encryption, I add this with ipsec. Since both ipsec endpoints can see each other and don't need to tunnel packets on the ipsec layer I spare some extra bytes (the size of the ipip encapsulation)
If you don't have an extra encapsulation, you cannot do vpn. You can add this encapsulaton natively using tunnel mode or using another protocol and using ipsec in transport mode.
If you just need to encrypt the communication between hosts that can see each other (ipv6), you don't need a vpn and thus extra encapsulation, so you might simply avoid that extra step