First, Red Hat (as Operating System vendor) has decided that RHEL 8 has openssl 1.1.1 and therefore they will support the openssl in RHEL 8 as long as they support RHEL 8. At least to 2029.
RHEL 8 is now at 8.8. If a critical vulnerability is found now, then Red Hat will release fixed version for RHEL 8.8, (and for RHEL 8.6 for Extended Update and SAP customers). No updates will be released for 8.5 (nor 8.7) – the 8.8 is the update for older point updates.
Up to this summer AlmaLinux was able to use the released sources of RHEL 8. Only the 8.8 fix would have appeared now, since EUS/SAP sources have never been public. At the moment AlmaLinux 8.8 is the only supported AlmaLinux 8. The 8.5 did “EOL” the moment the 8.6 was released. Previous point releases have never been supported.
Red Hat emphasizes the point that they support open source. That is, that they push content (like fixes) to upstream. The openssl 1.1.1 will be an interesting case after the upstream is dead. (Python 2.7 is already at that state.) Will the code fixes that Red Hat does for RHEL 8 version of openssl appear anywhere else?
So far AlmaLinux (and Rocky Linux) have found ways to get source code and they attempt to continue to do so.