the actual WPA2 wifi network is secure. however, the issue is that eth0, wifi0(open wireless network) and wifi0-1(secure wireless network) are all part of in the bridge group br-lan. they all have layer 2 connectivity, they all receive ip addresses in the 172.16.42.0/24 subnet when they connect, and clients in all three networks can freely communicate with each other, since packet filtering and firewalling happen at layer 3.
so, if you have allow communication freely between clients connected via the secure wireless network, the open wireless network and through the ethernet adapter via the bridge br-lan, then you are at still at risk of attacks, port scans, connection attempts and whatever nasty malware on clients connected through your secure wlan and ethernet interface by clients in your open wireless network. the security risk is worse than normal, since you might want to entice people to connect at times, and then there's the always on by default open network with full access to your machines via the bridge and the only security on it is a hidden ssid with a predictable range of the default SSID (Pineapple5_$VAR). oh, the open wifi also get to communicate through client mode connestions, too.
try it yourself, connect to the open network with one machine, connect to the secure network with another, then try communicating to the secure network. ping/portscan/remote desktop/whatever.