Listen, VRRP is not a receive only protocol. If that was the case, all TCP transactions to the VIP would fail. As you can see in the screenshot, they very well do work as this is a packet FROM the VRRP IP Address.
If what you are saying regarding AP communication is correct, then there would be 2 seperate GRE tunnels to the controller. One from the AP to the VIP, and one from the controllers mgmt IP to the AP. Which is also not the case. See the following:
Amazing that the firwall shows that the controller does indeed build a GRE tunnel from the VIP to the AP.
So now back to my original question, why are packets SENT from the VIP IP address not sent via the VRRP virtual mac? Doesn't this lead to issues where we have to do unicast flooding since we aren't learning the mac address on that port? (also behavior described in the RFC).