That's about right! This is what I advise on the Converting to DSA page I wrote.
Even if we had a port directly connected to the CPU (this is possible on the mt7621 SoC), let's say the wan port, it still wouldn't matter if we were to put it in the same bridge with other switch port interfaces. If you want to do VLAN filtering on all of the interfaces, you put them all in the same bridge. wan and lan interfaces will still have 2Gbps access to the CPU in total.
There's also this feature called bridge offloading. Most DSA subdrivers implement this. The only one I know that lacks this is the rtl8365mb driver. What this feature does is it offloads traffic between switch ports. Forwarding frames between switch ports will be offloaded to the switch hardware so they don't go through the CPU and exhaust the link to the CPU. This saves CPU usage as well. This is the CPU usage for switching frames at 1 Gbps between two interfaces without bridge offloading:
However, bridge offloading is only useful for switching frames between LAN ports (what makes a LAN port is completely up to us). We usually need to route wan traffic so we need to have the CPU involved, in other words, have those packets delivered locally.