Your CSS326 can do IGMP snooping, but it can't establish an IGMP querier, so if long-running multicast streams are started and then abandoned, how do they get shut down? Answer: they don't, they just keep pouring into the port that once upon a time requested them, arbitrarily long ago. Not all multicast protocols have this sort of indefinite duration, but there are some, such as in many IPTV systems. A lot of autoconfiguration type protocols have this, too, constantly sending out some sort of update message. These streams shouldn't keep going out to ports that no longer have a host trying to receive them.
RouterOS also offers several VPN options, including the uncommonly easy to setup WireGuard in the v7 beta. There is no VPN option in SwOS, so you're relegated to handling that some other way. I see from your signature that you have a separate MikroTik router, but not everyone has that luxury. If they have whatever their ISP provided, or if the ISP modem's "VPN" feature is simply terrible, or if they have a third-party non-MikroTik router without a VPN feature, port-forwarding VPN packets to the switch is a viable alternative.
SwOS has no firewalling capability whatsoever. "Okay," you say, "but I already have a firewall." And I tell you that yeah, I see that in your signature, but it's affecting the whole LAN. How do you use it to say something like "nothing down this leg of the LAN gets Facebook"? For that, you either need per-port firewalls, or you're going to have to promote knowledge of leaf MACs clear up to the border gateway router.
A similar case is DHCP. By running that on the switch, you can tie it to a port or a VLAN. And why would you want to do that when you have a perfectly-good DHCP server already, you ask? Because you might have certain clients with special needs. For years, I ran a second DHCP server to feed a bunch of strange little hardware boxes that needed the "next server" DHCP option, which none of the common "Internet gateway" type DHCP servers provide. RouterOS's DHCP server allows me to do that, scoping it to just the devices that need it so the two DHCP servers don't fight each other.