If we are looking for a certificate which can be used for encryption (regardless of expiration, revocation, etc.), then we need to use the new `Key::hasEncrypt` (added with T6748) because `Key::canEncrypt` returns false for an expired OpenPGP certificate with encryption subkey and non-encryption primary key.
This task tracks the changes that are not directly related to {T6743}.