VETH are weird, and @tagent points out it be unclear what the actual “best practice” is from Mikrotik.
I don’t think there are any issues with using VETH into “dumb” bridge, vlan-filtering=yes bridge, or unbridged VETH, per se… Now… configuration of IP address, routing, firewall varies a LOT depending on which one you choose… I kinda view “auto-mac” as a separate topic that MIGHT be effected by configuration of VETH and a “consideration” not a rule. The take away be however auto-mac is configured, you probably don’t want VETH being the admin-mac for a bridge interface be a quasi-rule…
Also if you enable logging, you should be able to see command line errors in the distroless version. Once you know the right command line, you probably don’t need a shell. While I doubt an Alpine shell is significant hit on flash, just saying it at some point you’ll know the right command for cloudflared…
I doubt experimenting with alpine + cloudflared is going to long term damage. What I see is that number of bad blocks does increase over years on devices, but even with 10 year old routers that used “graphing” and “DHCP leases on disk” (which both write to disk), I have not seen a complete failure of flash. Now on the 16MB flash ones… that were you would never want any container to touch the flash (which are generally pretty poor for containers)…
Anyway, my experience is that bad power is how Mikrotik’s die, not failed flash due to writes. While I can’t say never, an hour with Alpine shell trying to configure cloudflared running on flash is not something that could do “long term” damage.