@flygarn12 is correct that a dumb AP with multiple VLANs/SSIDs should generally only have a single network set as static/DHCP, and the others should be set to unmanaged (proto none). It is also correct that the interface that is managed should be associated with the trusted/management network.
Now, it is certainly possible to have multiple interfaces that are managed (i.e. static IP or DHCP client addresses), but if your goal is (as stated earlier):
then the absolute best way to achieve the goal is to make sure that only address that exists on the OpenWrt dumb AP is associated with the trusted/management network. That address, in turn, becomes the only address that OpenWrt will be listening on, and your router/firewall can then be used to block inter-VLAN routing such that the dumb AP is not accessible from the untrusted networks. There is no reason to have any of the other network interfaces "managed" unless the OpenWrt device needs to participate on those networks.
EDIT: To clarify, when setup with only a single network using a 'managed' interface, the uhttpd config can be set to listen on 0.0.0.0 and there will be no race conditions and a reduced attack surface because this binds to all managed interfaces (and the unmanaged ones are entirely ignored because OpenWrt does not have an address on those networks).
I also think that if you have input=reject on the zones that contain your untrusted networks, the issue is more than likely stemming from your upstream router/firewall configuration allowing inter-VLAN routing.