When things are working (i.e. you have manually run the update-ca-certs.sh script, the TV has rebooted, and it has automatically run the post-boot /var/lib/webosbrew/init.d/overlay-letsencrypt-ca-certs-fix script), then:
* DST_Root_CA_X3.pem should not exist in /etc/ssl/certs - the post-boot script explicitly removes its entry from the (overlaid) /etc/ca-certificates.conf, and the content of /etc/ssl/certs is dynamically updated post-boot, based on this configuration file, by the update-ca-certificates command run in the post-boot script. DST_Root_CA_X3.pem is explicitly excluded because it has expired.
* ca-certificates.crt should exist in /etc/ssl/certs - it is created dynamically post-boot, by the update-ca-certificates command run in the post-boot script.
So clearly, as you say, the post-update script was not running correctly for you. I assume this is because the TV must have been in failsafe mode at the time.
I am not entirely sure that the TV's default GUI web browser uses this same system-wide certificate truststore, but may instead have its own (which LG may take more care about updating). So, if one has updated LG firmware, it may be entirely possible that the GUI browser will talk to sites using the new LetsEncrypt certs without any "workarounds" like my script (if LG have updated the browser's proprietary certificate truststore as part of that firmware update).
I unfortunately do not have access to a Plex server using a new LetsEncrypt cert, so can't try to replicate the issue. I am using it with an Emby server using a new LetsEncrypt cert, and the latest incarnation of the script works well for me (I too enabled the Quite Start+ functionality on the TV as I got fed up of failsafe mode kicking in all the time - the experience has been much smoother since).