It looks like you are doing the VLAN filtering in software, hence putting all load on the CPU. Configuration must be done under
/interface ethernet switch to take advantage of the switch properly.
Example from my setup:
# egress tagging
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
# ingress tagging
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether1
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=10 ports=ether3
add customer-vid=0 new-customer-vid=10 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether6
add customer-vid=0 new-customer-vid=10 ports=ether7
add customer-vid=0 new-customer-vid=10 ports=ether8
# active vlans
/interface ethernet switch vlan
add comment=LAN ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether7,ether8 vlan-id=10
# vlan filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/ip address
add interface=vlan10 address=192.168.88.1/24