suppose they are on same LAN segment (dumb switch) so the only routing decision is possible on router itself, based on source address
which source address? from 10 temporary address assigned, which one should i use in filtering?
and, yes, there is security question. Why should i allow some device which is not handled by dhcp to make anything on network?
I do agree that it would be nice if MikroTik were to develop IPv6 DHCP for handing out individual addresses, but for two specific purposes. One is from a service provider standpoint, that some third party home routers will not accept a prefix if they do not also get an address ffrom DHCP. They are obviously programmed with a poor implementation, but DHCPv6 stateful addressing would take care of this. The second reason is for IPv6 mode-config in IPsec roadwarrior VPN, where mode config is currently only possible using stateful addressing (I don't think mode-config supports giving a /64 to a client yet).
However, I think you may be overestimating what IPv6 DHCP can do, and its usefulness on a corporate network. Unlike IPv4 DHCP, it does not record the hostname of the client that gets the address, and it also does not record the MAC address. So all that you have is a DUID and a lease time. If you go around and record DUIDs for all your computers, this identification mechanism can still be useful, but is not as directly usable as IPv4 DHCP, where you know what the client's hostname is and what the MAC address is.
The other issue is that Android does not support DHCPv6 client to receive stateful addresses, and never will. Google has refused to ever support this. Those who have rolled out DHCPv6 client only and not SLAAC are preventing Android devices from connecting to their network. If you run both SLAAC and DHCPv6 client then your computers can also get addresses through SLAAC and the use of DHCPv6 server as an identification mechanism goes out the window, since the computer can decide to make the request via the SLAAC address instead.
Due to Google's refusal to ever support stateful DHCPv6 anytime in the future, new standards have been developed (ex. RFC8273) to work around this by giving each host a /64 subnet all to itself. This could be implemented on a corporate network by giving each computer a DHCPv6-PD client to request a /64 prefix of its own, and the computers will then essentially act as routers too. I have heard that Facebook does this internally, or something close to it at least.
Finally, please be aware that if your computers are connected to Active Directory, their SLAAC addresses will automatically be added as AAAA DNS records in active directory, along with corresponding PTRs in the reverse zones. This ends up being a much more useful way of telling which computer it is from its address than manually maintaining a list of DUIDs and which computer they go with. This could potentially be used in your case to allow for limitations or restrictions per computer.
Most firewalls have developed functionality for IPv6 that allows them to automatically match up v4 and v6 hosts based on various criteria, basically "host tracking". Currently MikroTik does not do any kind of host tracking, outside of Kid Control. I believe what you are really asking for (and don't realize it) is some kind of host tracking mechanism like "next-generation firewalls" often have.