GDPR does have exceptions for legal compliance, yes. If someone does something illegal and they request deletions you can (IMO, not a lawyer) retain the records if you know there is an investigation or court case going or strongly suspect so or initiate it yourself.
You may even be able to keep comments/posts for longer for general compliance. You will need an audit explaining why and to be prepared to defend it. You won't be able to use such data for analytics.
This is based on my personal layman's understanding. I am NOT a lawyer. I am NOT your lawyer. If you need legal advice consult a competent lawyer in your jurisdiction.
Legal/Regulatory compliance is not for Facebook or Amazon.
It is to prevent people going to their Bank, where they have a credit card or a consumer loan, or a mortgage, and say "can I please be forgotten/be wiped from your systems - oh and the loan too!".
