@tojoe, I agree that the manual is not excessively verbose regarding loop-protect, but there is an interesting point - you can activate it not only at physical Ethernet interfaces and L2 tunnels but also at /interface vlan. Which suggests that the protocol is VLAN-aware. So I've checked what is actually going on. I've used a hAP and a hEX for the test, but given that Mikrotik use their own ethertype for the loop-protect frames, I guess it is not implemented in hardware on CRS3xx so it behaves the same there. I've used 6.45.7 for the test.
The auto-disabling of an Ethernet port only happens when the port receives a tagless loop-protect frame with one of the machine's own MAC addresses as source. If it receives such a frame tagged, it forwards it rather than blocking itself, but it does log the event (it logs ANY frame like that, not just a loop-protect one).
While vlan-filtering is set to no on a bridge, no tagging or untagging is ever done on Ethernet or EoIP member ports of that bridge, only on /interface vlan attached to it, and the pvid values of /interface bridge port rows are ignored.
And what's best, if an /interface vlan receives a loop-protect frame with a matching tag, it gets disabled too. Which is fine in the one-bridge-per-each-vlan configuration (where the tagged ends of several /interface vlan are connected to different carrier interfaces and their tagless ends are member pors of the same bridge), but a disaster in the common-bridge-for-all-vlans setup where the loop-protection frame sent by itself comes back to an /interface vlan.
So if you can make sure that you use the same pvid on all Ethernet ports belonging to the same bridge, you are fine to use loop-protect on those Ethernet ports. If you need to use the same VLAN tagged on some ports of a bridge and tagless on other ports of the same bridge, the loop-protect mechanism as currently implemented in RouterOS will not work properly.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.