First of all, this is a request for SwOS, so IP firewall filter rules don't solve any of these issues - no one seriously is going to use bridged router ports and turn on the IP firewall for bridges, they simply don't perform well enough compared to 5 wire speed switched gig ports that the RB250GS offers. Using a switch chip on a router also doesn't allow you to use the IP firewall.
So one simple benefit would be blocking rogue DHCP servers on switched edge ports. The alarm built into RouterOS as a layer 3 gateway on such broadcast domains is useful, but occurs after the fact. Being aware that there is a rogue DHCP server does nothing to prevent the rogue DHCP server from announcing itself as a gateway to other switched hosts until you've taken it offline.
DHCP snooping also allows the switch to collect MAC and IP address information about devices behind its ports. That in turn allows it to block frames/packets that shouldn't occur.
By way of example for ARP spoofing: let's say we have a router at 10.1.0.1 with MAC 0000.0000.0001. Connected to it is a switch that in turn has hosts 10.0.0.2 with MAC 0000.0000.0002 and 10.0.0.3 with MAC 0000.0000.0003. Host .2 wants to get out to the Internet and knows that its default gateway is .1. That is on the same subnet, so it will talk to it directly, and to find out the gateway's MAC address it sends an ARP request for .1. Host .3 is a malicious user and listens for the ARP request. He sends back an ARP reply claiming that the MAC address for .1 is his own, 0000.0000.0003. Because he is closer to the host sending the request his reply gets there first. Host .2 sends all his traffic to the MAC address of .3 now, which looks at all the traffic before sending it on to MAC 0000.0000.0001. Malicious host .3 is now a transparent man in the middle, being able to sniff all the traffic from .2 out of the network. Host .2 is none the wiser.
If the network was DHCP only (or static mappings had been defined) and the switch was running DHCP snooping it would know that host 3 is pretending to be someone he is not, and can drop the malicious, spoofed ARP reply.
That is only one kind of attack possible to prevent when the switch has such a table of MAC and IP to port mappings available.
This is NOT something caused by a network "not being designed properly". These attacks have been well known for years and are direct consequences of how Ethernet and TCP/IP and DHCP implementations work. Mitigation features are present in virtually all top of rack/access layer/IDF switches suitable for enterprise deployment.
That said, an RB250GS isn't that, and I doubt this feature is implementable in the hardware that powers these switches.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.