Hm, I have to see if Mikrotik has rule syntax for this. I can already force every app who thinks they will use their own DNS server to use mine but not sure how I could do the same with a proxy. Maybe just force ports 80 and 443? But what's stopping these apps to communicate on non-standard ports?

There's no reason to allow arbitrary traffic in either direction other than convenience. If you want a more secure network, you block everything by default and narrowly open as needed.

That means I'll stop 99% of all outgoing traffic. Still interested in how to force all traffic to a proxy though.

Thanks, I'll give this a thorough read.

If it's only for certain ports, they can just use non-standard ports.

Not uncommon to have a drop all rule as default on outgoing packets as well.

Regular http gets redirected to proxy, non-standard traffic needs to be explicitly allowed out.