I tested with enabled "Update time" and Force Update button.
Here are used firewall -> filter rules:
add action=log chain=forward comment="test
" dst-address=81.198.86.0/23
add action=drop chain=forward content=cloud.mikrotik.com
add action=drop chain=forward dst-address=81.198.86.0/23
add action=drop chain=forward src-address=81.198.86.0/23
add action=drop chain=forward dst-address=91.188.51.136/29
add action=drop chain=forward src-address=91.188.51.136/29
When I hit "force update" button firewall rules counters are on 0, and status is updated. So MT CAN contact cloud server even if you create drop rules in firewall. Solution is to add static dns entry for 'cloud.mikrotik.com' and point it to something that will never be MT cloud server, I used '255.255.255.255' and after "force update" button error was "Error: no internet connection".
Keep in mind that I find out that if MT doesn't have dns server specified it will contact cloud server by ip address. Firewall rules will not protect router that have them, but will all others that access internet using that router.
I hope that this will be useful
and maybe one day improved...