Because dsa uses a single bridge for all Ethernet ports.
DSA syntax has the construct of single bridge and then the bridge-VLANs to create the vlan ids and the associated ports.
From the network config, security is no different. It is only necessary to add the bridge-vlan for guest if you need Ethernet on that network (such as to connect it to another AP). Otherwise, what you have is fine.
Yes. Generally. I recommend for untagged ports to explicitly specify untagged + pvid. That is, add :u* to each untagged port for the respective vlan.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 