So I wonder if the new secure winbox connection cannot handle NAT.
Was setting up a new router that I pre configured but managed to frogg up the OSPF config on the new one.
GRE connected but I had to NAT my connection to get route back and Winbox did not want to connect with legacy mode on or off.
Used SSH to fix my config and once NAT was off Winbox worked again.
Just a guess but this might be how they solve man in the middle attacks but this creates the issue that I cannot force my router to use legacy mode if all this is true.
Edit: What I mean is that I think new Winbox security cannot handle stuff like NAT that "tamper" with the header of the package. Once again just a guess and I have not tested.