Honestly, I would not look for problems with MTU. More with h2 ac2 performance.
I cannot imagine Mikrotik intentionally publishing inflated test results, I can imagine them (like any other vendor) to publish results obtained under ideal conditions (which @Emils has suggested). So I've suggested my real experience. It's not "problems with MTU", it's how fragmentation affects network performance in general. Note that the issue is so significant that IPv6 has changed the rules how fragmentation may be handled.
In the attachment I am sending screen of devices between which I am doing the test.
(147.700.000 Mbits/s / 12.170 packets/s) / 8 bits/byte = 1517 bytes/packet, which means that the fragmentation is not the issue here - if it was, the result would be around 800 bytes/packet.
So @McSee's suggestion is the next one to deal with, as in the btest manual you can see a Note:
Bandwidth Test uses a lot of resources. If you want to test real throughput of a router, you should run bandwidth test through the tested router, not from or to it.
The IPsec performance degrades when it has to rearrange received packets, which is why the sending direction of any given SA is forcifully handled by a single core, and also all handling of any given packet tends to be done on a single core for performance reasons. So chances are high that btest sends the packets using the same core which encrypts them, maxing that core out.
I am wondering about IRQ called qca_crypto. As if IPSEC was supported by software and not hardware.
On the left you can see 4011 (both devices work on ARM processors) and there is no such IRQ.
That's a good point, however I'd rather expect it to indicate the reverse - a "crypto" interrupt suggests that the CPU is notified about "encryption finished" event by means of that interrupt when the hardware has finished the encryption.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.