I'm planning to setup a proper and secure LAN for a home with many devices.

Basic ideas (requirements):

• Proper separation for our trusted devices (computers, notebooks, nas, printers, etc)
• Single SSID Wifi6 with both 2.4GHz and 5GHz frequency
• Proper separation for multimedia devices (tvs, radios, etc), some of them are on wifi, some on wires
• Proper separation for security cameras (they are all on wifi)
• Proper separation for guest devices (they are all on wifi)
• Proper separation for managing the network routers

Now, my key concept is to use VLANs for separation. But as for many devices are connected through wireless, I will need to use a MAC-based VLAN ID assocication. I don't currently have any RADIUS server setup.

Network design:

• Main router: L009
• 1st AP: CAP AX
• 2nd AP: Hap AX2

Access requirements:

• Trusted devices must access everything
• Guest devices must access only internet
• Multimedia devices must access some trusted devices (nas), AND internet
• Some guest(s) must access some/all multimedia devices
• Some guest(s) must access some trusted resources (printer)

In case I wish to use VLANs, I would define these:

• VL10 - Management
• VL20 - Trusted
• VL21 - Multimedia
• VL30 - Cameras
• VL100 - Guests

Is this VLAN-based approach feasible? I'm willing to learn, and I don't fear of getting complex configuration, but only in case it has some real benefit(s).

The trickies thing is that some clients on Wifi must get VL10, some must get VL100, and some get VL30 - in spite they are on the very same Wifi.

Approach seems off.
VLANS is to separate users into homogenous groupings where they can all see each other at Layer2.
Sounds like you need more vlans or more WLANs or both

Thanks, @anav!

I know caps are capable for providing more than one SSID.

But isn't it causing a performance drawback to broadcast multiple SSIDs?

Is my approach seem off because I wish to define complex access rules between (inter-)VLANs?

If VLAN is for segmenting of users (Sales - VL10, Management - VL20, IT - VL30), and there is only one printer in VL30, isn't it feasible to grant access to this printer in VL30 for Sales and Management?
With rephrase: are VLANs purely recommended to provide full separation, without any inter-VLAN access?

Thank you!

VLANs are to reduce broadcast traffic and separate concurrent traffic such as voip and video for example. Multiple SSID create heavier beacon load in the air, otherwise I wouldn't say 4 ssid is way worse than 2, but if you make even more that can be a problem. Usually 1-2-3 is enough.
Also this "convenient" vlan naming such as 10, 20, 30 etc doesn't reflect network address correlation and creates chaos later. Way better to plan your network as a bigger prefix, such as 192.168.64.0/22 and split into /24 for different purposes like management, production, wlan, access control etc. And name vlan corresponsive to network number. This will be easier to maintain later when config will grow.
Also always remember about physics and don't chase better standards just for fun. For example you take cap ax with 2 chains and you put 2-3 SSIDs in there and there's two chips for each frequency, so if you'll have production load and guest load at 5 ghz at the same time the performance will drop and split between. But if you'd take Audience which has 4-chain 5ghz on one 5 ghz chip and 2-chain on other, split productino and guest to different physical transmitters and use separate frequency then even though ac is a bit slower than ax you'll get better parallel performance.
So in my opinion mikrotik is chasing it's tail making obsolete devices for ax standard while it should run for wifi7 until it's too late. And make 4-chain devices and multiple-chip devices such as Audience which is really nice as a home-AP.

Legit concerns.
I would say four SSIDs is reasonable 2x 2.4 and 2x5.
A stretch to go to SIX but still possible.

Of course vlans and firewall rules make for very flexible approaches.
Typically the last rule in the forward chain is DROP ALL.
That means only rules with allowed traffic above this rule are executed.
typically lan list to wan list for internet
in your case
all lan to shared Printer ..........
etc...