Furthermore, I'd imagine that the host might be required to retain those records for law enforcement purposes (imagine if someone made death threats, etc and law enforcement requested those records for an investigation).
GDPR does have exceptions for legal compliance, yes. If someone does something illegal and they request deletions you can (IMO, not a lawyer) retain the records if you know there is an investigation or court case going or strongly suspect so or initiate it yourself.
You may even be able to keep comments/posts for longer for general compliance. You will need an audit explaining why and to be prepared to defend it. You won't be able to use such data for analytics.
This is based on my personal layman's understanding. I am NOT a lawyer. I am NOT your lawyer. If you need legal advice consult a competent lawyer in your jurisdiction.
Legal/Regulatory compliance is not for Facebook or Amazon.
It is to prevent people going to their Bank, where they have a credit card or a consumer loan, or a mortgage, and say "can I please be forgotten/be wiped from your systems - oh and the loan too!".
