then bridge acts as a dumb switch
But it's not a dumb dumb switch, i.e. it doesn't push the frame out of all ports if it destination MAC is in its table. So it won't necessarily always leak tagged frames, am I right?
A dumb switch or bridge does forward frames according to MAC<->port table. If table doesn't have entry with dst MAC address, such switch forwards frame to all ports (except ingress port). This is one way which leaks VLANs.
If malicious user just listens to the traffic, he will collect the list of live VLANs in short time (every now and then there will be some frame with yet unknown dst MAC address or a broadcast frame).
Most of NICs have single MAC address and that MAC address is then used for all VLANs that NIC might be member of. If switch receives frame with such dst MAC address, it'll forward frame even if connected device is not member of VLAN marked in frame header. This can be used to send some malucious frame to a device which is member of another VLAN (and should be unaccessible).
Then security: if switch/bridge administrator doesn't set up allowed VLANs per switch/bridge port, then malicious user can freely join any of VLANs flowing through such switch/bridge, including highly protected management VLAN.
And the list of issues continues ... endlessly ...
ports are trunk ports carrying all VLANs
With respect to Mikrotik configuration lingo, what constitutes a trunk port? And, while we're here, what constitutes a hybrid port?
Trunk port is carrying one or more VLANs, all of them tagged.
Access port is carrying single VLAN, which is untagged on wire and tagged in the switch/bridge.
Hybrid port is carrying two or more VLANs, one of them is untagged on wire, others are tagged on wire. All VLANs are tagged in switch/bridge
With respect to the following lab setup:
Addition to point #2: since DHCP lookup is a broadcast, every device member of same (V)LAN will receive that packet. In properly configured VLAN switch/bridge environment that DHCP lookup frame would be restricted to single VLAN, in network with dumb switches/bridges all of devices will get it. Some will notice VLAN tag and discard it (if they are not setup as tagged members of said VLAN), others (with buggy NIC drivers) will pass it to IP layer. In every VLAN there has to be DHCP server (unless all devices in that VLAN have manually set IP settings) and if some DHCP server is behind such a buggy NIC driver, it might even answer to thus DHCP lookup even though it shouldn't (but if all necessary DHCP servers are running on your router this won't happen).
Addition to point #4: after client receives DHCP lease from server, it has to verify that the assigned address is not in use, for that device sends out a broadcast frame (and if some receiver of this broadcast is already using address, it'll reply with unicast frame) .. again some leaking. In theory it is possible to use same IP subnet in different VLANs and in this case the hell would break loose
The rest is fine (I guess).
In most SOHO cases one can live with dumb switches/bridges even if there are some VLANs in the mix. However I higly recommend to go full VLAN on all LAN infrastructure devices when need for first VLAN arises. Specially so if all gear is capable of doing VLANs properly.