I tested one of recently developed blacklists on hAP ac2 and the performance impact was really negligible. Especially if you use fasttrack, there is literary no difference. You can easily approximate those results to RBx011 once you compare the CPU. Based on my experience, unless you need pure 1Gbit connection, you don’t need CCR for this kind of blacklist. Only exception is RB2011 which is simply too weak (keep in mind that current generation of CRS has better CPU than this “router” and it is clearly stated those CRS are just “switches” and it is not expected to get some reasonable routing power). It will work but the impact without fasttrack will probably be significant.
Your understanding (protecting users from malware) is right.
Basic protection from attackers should be done by simple approach “block everything incoming from WAN unless it is established or related”. If you follow this idea, no blacklist for incoming threats is needed.
Sometime, you will need to whitelist incoming connections (for example SNMP monitoring, site-to-site VPN etc..). That will create bit of security risk but nothing serious as only authorized (whitelisted) addresses can reach it.
Sometime, you will need to open specific port to any address (for example roadwarrior VPN when client can connect from literary any IP). In that case, security risk is increased because any IP can reach your service and conduct malicious behavior (for example brute force password guessing). In such case, blacklisting incoming connections from known IP addresses may be useful.
However main reason of blacklists is to protect “established or related” traffic initiated from within your network. For example when there is phishing link in email or when there is crypto-miner injected into innocent website. All these pages are requested by user (therefore allowed by usual firewall) but user cannot know they contain malicious code. That is where blacklists really step in and attempt to protect your users.
Due to that, you can’t consider blacklist as alternative to whitelists (which are useful only for incoming connections). It has different purpose and even with thousands of blocked IP’s blacklist will not have significant impact on your CPU.
Personally, I believe proper IDS/IPS and/or antivirus will do better job because these should block traffic based on specific patterns, not just based on IP addresses.