I think I will go with the CRS354 and RB4011.
I am also planning a mutiroom audio system using some Raspberry PIs which will use up about 15 ethernet ports. And I think the CRS354 will give me some spare ports.
Currently only the APs are using PoE and they cuome with a PoE injector. For PoE cams I am currently not 100% sure if I will get one. If I will get them, I will get a CRS328-24P-4S+RM later.
Ah. Yes, in that case the CRS354 makes more sense.
Would it make sense, from a performance and security point of view, to add a pfsense or opnsense firewall infront of the router? (WAN > Pfsense > RB4011 > CRS354)
Not really. The RouterOS firewall is capable enough on its own (it's basically Linux iptables), and the RB4011 has enough horsepower to handle normal firewall duties without having any issues with your internet connection.