There is no real security difference between the two as root on the host has kernel access so you can pretty much always assume that it will have access to your container’s network traffic one way or another.
The main points to consider with macvlan are:
- macvlan tends to be faster than bridging as it skips a whole bunch of kernel code
- when using macvlan, the host will not be able to communicate with the container over the macvlan interface
- the number of macvlan devices may be restricted based on hardware limitations of your physical NIC
- it can be very difficult to debug macvlan related issues as it may not behave the same on all kernel drivers and physical cards
If none of the limitations affect your setup, then go for it. If you need more flexibility, debug-ability or a more reproducible environment, bridging may be preferable (with openvswitch being one way to optimize performance there).