System administration

What are the methods for isolating users inside Vlan (Mikrotik)?

Several Mikrotik CSR3xxx switches are available. I won’t describe the architecture in detail, but let’s say there is 1 router (mikrotik), a distribution switch (mikrotik) is connected to it, to which, in turn, several more switches (mikrotik) are connected. Clients are already connected directly to these switches. All equipment processes 5 vlans to isolate one client group from another. And here the question arises - how to isolate one user of the vlan from the rest, while leaving them inside one external vlan? And on top of that, without the need to configure client hardware.
Now I'm thinking in the direction of QinQ, but there are problems with setting up the equipment - a tagged frame passes through the port and receives a second tag - everything is fine here, but for this you need to configure vlanes on the client. It has not yet been possible to turn untagged traffic into 2 vlans on the Mikrotik port.
Ordinary segmentation by ports will not help, since clients will see each other on the distribution switch. There is an option with Private vlan, but I did not find setup manuals for Mikrotik. What other options are there? This is already a question rather for general development, since vlans on the equipment are far from 4k, you can just make another vlan, but I would very much like to leave some kind of hierarchy in the network