I want to use a powerbox pro just as a switch with maximum hardware offloading as possible. I have this configuration, but I am not sure if changing anything will allow me to access even more wire speeds.

Do I really need a bridge? Instead, will adding switch rules a faster, more hardware accelerated approach?

The setup seems optimal to me.

Yes, you do need bridge. Adding ether ports to bridge seems to enable inter-port forwarding, without it traffic doesn't flow between ether ports even if all is done by switch chip. And you definitely need bridge to enable management access via VLAN 523 which enters device via trunk port ether1.

Before ROS v6.40 there was master port and slave ports and one used to address master port to interact with port group. Both functions are now delegated to bridge.

Is there any difference if I remove MGMT VLAN from the bridge and move it to ether1?

When an interface is made member of bridge, then no further configuration should use that interface directly. Such erroneous configuration isn't flagged as invalid by ROS, but sometimes causes random misbehaviour.
So no, you can't create vlan interface on top of ether1 interface. Besides, if bridge functions are offloaded to switch chip (either automaticalky by ROS or by manual configuration which is the case in your config), then most packets never pass the switch chip - CPU interconnect so there's no worry that they'll peg the CPU. The mentioned interconnect will only carry traffic which, according to switch chip's ARP table, has to be dealt with by CPU ... in your case that will include only management traffic between ether1 and ROS inside VLAN 523 as per switch chip configuration.

Potential overhead, caused by bridge, is slight as all packets targeting management interface have to pass bridge code but that code won't perform any of (potentially numerous) functions - e.g. none of VLAN related. Next step - handling of the VLAN header - will be performed by vlan pseudo-interface, but this step is identical as if this vlan interface was bound directly to ether1.

BTW ... I've never tried, but I have suspicion that your setup eoukdn't even perform as (unmanaged) switch between ports without having bridge configured. You can try and see if it does. You'll have to prepare a way of out-of-band management access though ...