I am using TOS 4.0.5 with multiple VLANS in production. I can‘t tell how and where traffic goes through (CPU or switch chip). But I can tell you that you can set up VLANs using this method. Interfaces LANX are DSA ports, so creating Software VLANs on it will configure them (at least somehow).
If you want to create an additional VLAN, (e.g. an untrusted Network), just create a new network interface in LuCI and bridge it over the LAN ports you want in „physical settings“ (e.g. LAN0.5 and LAN1.5 if you want it on LAN ports 0 and 1 with vid 5). If you want to have an an untagged port you just add LANX to the bridge (e.g. you can add LAN0 and LAN1.5 to the bridge, so traffic on LAN0 will be untagged but traffic on LAN1 will be tagged with vid 5).
I then set up one subnet for every “VLAN Interface“ and set up traffic rules using forwarding rules in firewall between those subnets.
I read through multiple threads on this forum stating that LuCI/UCI configuration invokes ip command (which lacks some functionality regarding VLANs), not bridge command. But as far as I can tell I can‘t see any disadvantages using LuCI, at least in my SOHO setup… I get gigabit speed inside subnets and between subnets and they are isolated. vids seem to be added as I can communicate on tagged ports with linux clients attached to it sending tagged traffic. And clients on untagged ports can only reach the subnet is configured for this port.