The Pedestal "Getting started" (http://pedestal.io/pedestal/0.7/guides/hello-world.html) includes, according to clj -X:deps tree, a bunch of websocket stuff which looks unnecessary to my plans. Can I safely exclude jetty-jakarta-websocket-api ring-websocket-protocols websocket-core-client websocket-core-common websocket-core-server websocket-jakarta-client websocket-jakarta-common websocket-jakarta-server websocket-servlet
Unless the size of the jar is very important to you, these dependencies will not slow anything down or get in the way of anything.
Tools like GraalVM native-image are smart enough to find classes that are not in use and discard it.
One of the OWASP Top 10 risks is "Vulnerable and Outdated Components" and the very topmost recommendation to mitigate it is "Remove unused dependencies". Interesting about Graal. I hope that won't be necessary.
This is somewhat of a side-effect of building in a engine agnostic way to specify web socket handlers (part of 0.7); but (most likely) you can remove many of the dependencies beyond jetty-jakarta-websocket-api.
I haven't experimented with this.