If we are looking for a certificate which can be used for encryption (regardless of expiration, revocation, etc.), then we need to use the new Key::hasEncrypt (added with T6748) because Key::canEncrypt returns false for an expired OpenPGP certificate with encryption subkey and non-encryption primary key.
Similar problems could occur when looking for signing certificates or authentication certificates.
This task tracks the changes that are not directly related to T6743: Libkleo Keyresolver: check for existing encryption subkey instead valid one, as first step.