I am not a cryptographic expert so I cannot suggest which of the encryption algorithms is more secure.
When it comes to throughput and CPU load, the available information is quite inconsistent. The Mikrotik product page does not mention support of encryption in hardware for the L009, but its block diagram says it is built around the IPQ-5018 SoC, and on the IPsec manual page, IPQ-5018 is listed among CPUs that do provide encryption in hardware - however, only for aes-cbc and aes-ctr combined with sha up to sha256, not for aes-gcm. Your first response shows none of the SAs on the 7.15.x device to use hardware encryption, but all of them, including the aes-gcm ones, to use it on the 7.17.2 device. But the changelog from 7.15.1 all the way to 7.17.2 does not mention anything related to hardware encryption on the IPQ-5018.
So if some of your L009 devices running 7.15.x shows high CPU usage or even exhibits performance issues, it may be a good idea to upgrade it to 7.17.2, change the proposals to aes-cbc or aes-ctr based ones, and compare the throughput and CPU load before and after.
As for PMs - except for a few brief periods in the past, they are disabled on this forum. So you can follow this post if you want, but I don’t need any “special thank you”.