I have an add-on under review at the moment and it uses 3rd party libraries which don't have the exec or die statements either. They can be excempted by the reviewers under specific conditions. You will have to motivate that on the review page of your add-on.

json_decode and system i/o functions pose security issues, I think That's why they are not allowed. Getting exempted for that is propably a bigger issue. Browse Concrete's libraries (in the vendor folder) and Concrete's utility classes to see if they have a json parser. Then you can use those. I did the same with file_put_contents, mk_dir and require by using \Illuminate\Filesystem\Filesystem which is in the vendor folder.

The OP said it's about 5.6, and there's no vendor (composer) there. You will have to look through the helper files I guess, if it's there. But most likely the peer reviewers can help you on that as well. Just post a comment, so they know it's failing. Sometimes when one or mulitple tests failed, they don't look at your submission (or it doesn't get flagged to review or something, not sure).

As for exec or die, if you can motivate why it shouldn't be there and it doesn't work without it, shouldn't be an issue.