The alternative that I'm thinking right now is that in the pre-login process Dovecot would only advertise those capabilities that are actually useful before login. Then after login it would send an updated capability reply to the client. The important question here is: Are there any clients that don't update their capabilities?
RFC says: A server MAY send capabilities automatically, by using the CAPABILITY response code in the initial PREAUTH or OK responses, and by sending an updated CAPABILITY response code in the tagged OK response as part of a successful authentication. It is unnecessary for a client to send a separate CAPABILITY command if it recognizes these automatic capabilities.
So that's valid approach and any client should support it.