At least on Android it's possible to dissect an app. You won't get the original java code, but static analysis is possible. And indeed, it's possible to capture it's network traffic and even often decrypt that traffic (with root access to the device). Now, I, or you may not research at this level, but someone looking into wether they may use WhatsApp to discuss attack plans on, say, Jemen, might find such weaknesses.

People find exploits in proprietary code, or even SaaS (where researchers cannot even access the software) every day.

People at Meta might leak this information too.

"Information wants to be free"

My point is: the risk of this becoming known is real.

> What prevents them from simply pushing an update that quietly uploads private keys or unencrypted messages to their servers

Reputation

Or what's the translation of bank run but generic for any service? Leegloop in Dutch. Translator gives only nonsense. Going for the descriptive route: many people would leave because of the tarnished reputation

The trick is to have Facebook continue to believe that this reputation/trust is more valuable than reading the messages of those who stay behind, which can partially be done by having realistic alternatives for people to switch to so that there is no reason to stay when trust is broken. Which kinda means pre-emptively switching (at least to build up a decent network effect elsewhere), which is what I've chosen to and encourage anyone to also do. But I'm not a conspiracy theorist who thinks that, at the present time, they'll try to roll out such an update in secret, at least not to everyone at once (intelligence agencies might send NSLs with specific targets)