Using vlan 1 for traffic is no worse than using 192.168.88.0/24 (or worse 192.168.1.0/24) for a subnet. The problem is that they are both defaults, and because of this can have unintended behavior when used with other devices.
Unless specifically overridden, all ports in the bridge will have pvid=1. So on the CRS, all ports other than ether21, ether22 and ether23 will be members of vlan 1. That's quite a bit different than what your graphic shows.
So in the config posted, if you remove vlan 1 from the list of tagged vlan ids specified in /interface bridge vlan as noted by @vingjfg here VLAN Filtering - Unreachable Bridge IP - #4 by vingjfg things would work. i.e. if you plug a pc into CRS port 1, you should be connected to the 192.168.88.0/24 network. Likewise, if you plug into port 23 you will be connected to the 172.16.10.0/24.
I didn't review the firewall, but @anav probably did.
While I agree that it is cleaner to not use vlan 1 for data, other than it being a default used by many vendors, and suggested as default by the 802.1Q spec, and that some vendors "assume" that vlan1 will always be untagged, vlan 1 is just like any other vlan.
One advantage of leaving it as vlan 1 while you are setting up, is that in the defconf state, you can safely turn on vlan-filtering and other than blocking tagged traffic between bridge-ports, it will not "lock you out". What will lock you out is changing the pvid on the bridge without making sure there is another port that is a member of the vlan you are changing it to. See @CGGXANNX post here Once and for all COMPLETE Offbridge Port setup - #14 by CGGXANNX and @Amm0's post here Once and for all COMPLETE Offbridge Port setup - #30 by Amm0 and skim this thread My recent VLAN fiasco