Agreed, its a bit confusing.
I think the idea was that the 4 ports on the bottom are the ones that the end user would see, so they would be E0-E3.
The end user would have no context as to what is behind the AP as it's in the wall.
Also note that as of 6.5.0.3 code you can not actually use secure wired AP with bridged ports. Don't try to use OnGuard or other authentication methods that would use multiple VLAN's or CoA on the ports. You're only solution is to use the ports in tunnel mode, Split Tunnel doesn't seem to work either.
Still waiting on an answer from Engineering on why this won't work. Looks like its got something to do with the way the PHY was implemented.
I've also run into issue with the port trying to hold the authentication/MAC of the device if the bridged port is not in trusted mode.