Somebody's not understanding something correctly. And it may be me.
End users don't have anything to do with DKIM signing messages. DKIM signing is done at the MTA level.
It really doesn't matter what selector is used by the MTA, just so long that the appropriate public key is stored in the respective selector DNS record.
The ONLY way that "default" would interfere here, is if an end user is wanting to send out mail through two SMTP servers and both MTAs are signing messages with a "default" selector. I can't imagine that happens very often though.
You keep saying that the user has to use s1 and s2 selectors. Why?
Your cPanel server is going to create a private DKIM key to sign messages with.
Your cPanel server is going to add the appropriate default._domainkey
public key TXT record into the DNS server on the server or in the DNS cluster.
When the user sends out mail through your cPanel server those messages are going to get signed with that private DKIM key and have the "default" selector added into the headers.
A mail server that receives this messages is going to read the DKIM header in the message, find that it's using example.tld domain name and default selecotor, and compare the designated headers hashed with the public key in your default._domainkey
for example.tld with the hash presented in the headers. If they match, then DKIM is successful.
If example.tld is not using DNS servers designated by the cPanel server - then that DNS server isn't going to automatically get the default._domainkey
public key TXT record. This would need to be added manually.
Either way, the end user that sent the mail is oblivious to what selector is used when sending out mail through your server.
The second SMTP server that they are sending messages out through will have to use a different selector than "default" (or a different domain name). If that service is designating s1 or s2 as their selector, that's fine and does not interfere at all with your cPanel DKIM.
You just need to add the respective s1._domainkey
public key into the domain's DNS - where ever that DNS may be being hosted (and if that is your responsibility).
The only time this would create a collision issue, is if you are using two SMTP services that are signing messages with different keys but the same selector. You can't do that (I don't think) - https://datatracker.ietf.org/doc/html/rfc6376/#section-184.108.40.206
But as long as each different SMTP service the domain is using, is using different selectors - then it won't matter. You just have to have each corresponding public key for each selector in the domain's public DNS.