and as I understood, these are hp switches and they are managed.
And I would do this: I would
create 3 vlans:
- one equipment management, then these 2 switches will be managed in the same network;
- the second is a network for users;
- the third one is for the video.
With vlans, you divide your network into logical ones, that is, from one vlan you will not have access to another by setting the appropriate rules in the firewall.
Accordingly, on Mikrotik, let's trunk to the ports that are connected to the switches, and on the client ports on the switches, you need to register the ports in access, because clients and cameras are not aware of vlans.
As a result, we get that all traffic coming to the end ports is automatically wrapped in the vlan that you specify in access.

If I was able to correctly in the model of your iron (we are talking about switches), then they are not managed by you, which means they do not support normal differentiation by ports / vlans.
In this case, you don’t need any vlans, just make two separate l2 networks and separate addressing for them, prohibit traffic between them either by routes (like yours) or (which is more reliable) at the firewall level with two drop rules.
A bridge is not required in this design; with the same success, addresses and firewall rules can be applied directly to the fifth port.
Also, I note that, in principle, a situation is possible when cameras are able to VLAN, then it would be possible to configure native vlan on each camera, then add a virtual interface with the same vlan id to the master port and create addressing, routing and firewall rules on this VLAN interface . But again, I note that in your case (in the presence of two separate switches, each for its own l2 network), this is unnecessary and, moreover, not safe, because. anyone will be able to receive traffic by registering the vlan id on the interface.

And it’s easier to hang a network for subscribers (YYYY / 24) on the master port and a network for cameras (Х.Х.Х.Х / 24) on a worthless port, this will not interfere with Mikrotik, give the rules for communication between networks in the firewall and draw routes. the only thing! addresses will not be distributed via DHCP for both ranges, 2 "servers" per interface do not seem to be filed, but you can assign statics by catching sessions on Mikrotik.