1. It could be safe to replace Dovecot/Exim with versions that include OpenSSL 1.1.1i statically compiled?
2. Is there any plan/ETA to add TLS 1.3 to every service?
cPanel added support for TLS 1.3 in version 86. Utilizing TLS 1.3 for services requires that the OpenSSL version is greater than 1.1.x. For example, Centos 7 servers use an older OpenSSL, which doesn't support TLS 1.3. Most of cPanel's services like Exim, Dovecot, and cpsrvd are linked to the OpenSSL version provided by the operating system.
Until the Operating system supports TLS 1.3, the highest TLS that can be used for these services is TLS 1.2. If TLS 1.3 is required for all services, it may be best to migrate to Centos/CloudLinux 8 servers. These servers support OpenSSL TLS 1.3 by default, which would address the concern.
Please do not try upgrading the OpenSSL manually, as this can cause a lot of issues. It is best to migrate to a system that already supports the required OpenSSL version or wait until the OpenSSL version is backported.