Hmmm, ok. Can you help me to find out, what exactly the issues are?
Yes, I found at least one, but this just tags each LAN port with a different ID, which is a little bit theoretic approach - in this case one would just configure the switch port on the other side to be an access port and do not need to bother with VLANs on the AP. The more real world approach is IMHO to route all LAN related traffic over the 10GE port, but keep guest (unknown non trustable devices), family (TV, Audio, Video, PCs, Laptops, ...), management (IoT, switch consoles, surveillance, power meters, ...) WLANs alias GuestNetworks separated. And for my cases, I do not even need any WAN or DHCP functionality - each VLAN already has its own DHCP server, router (history, performance, etc.). So basically I think the normal use case would be {L|W}AN port : VLAN = 1:n, whereby each VLAN usually appears on a single {L|W}AN port, only (unless there are inactive fallback ports configured), to prevent any loops. The other threads refer to older FW and do not really discuss, what the problem actually is.
The other thing I do not understand is the 'model' thing. Per default tagging is done by the corresponding kernel module and this one should transparently call the HW related [accel] callback, if there is any. So do you mean with 'depending on the router model' that those ones use HW calls and that these calls produce buggy results? If so, shouldn't it be sufficient to replace the proprietary module with the linux vanilla module and let it tag per software? Since it is using an already reserved field, I would expect, that [un-]tagging should be really cheap, even if done in software. Still missing something?
Last but not least: CLI is fine, is actually what I prefer ;-) But trying to understand the whole thing 1st, before putting much more resources on it (e.g. still haven't found out, why always all eths and wls get bound to br0 ...).