At least on Android it's possible to dissect an app. You won't get the original java code, but static analysis is possible. And indeed, it's possible to capture it's network traffic and even often decrypt that traffic (with root access to the device). Now, I, or you may not research at this level, but someone looking into wether they may use WhatsApp to discuss attack plans on, say, Jemen, might find such weaknesses.

People find exploits in proprietary code, or even SaaS (where researchers cannot even access the software) every day.

People at Meta might leak this information too.

"Information wants to be free"

My point is: the risk of this becoming known is real.