Even a closed-source app is never really closed. In the end it's all machine code which is basically source code as well. There's many tools to analyse binaries, like IDA Pro. It's just difficult and often steps are taken to obfuscate what it's doing.
Having the higher-level source code just makes it a lot easier.
But if WhatsApp did this, it would probably be noticed pretty quickly by experts. But like I said above, Whatsapp's achilles heel isn't really the E2E encryption. It's the cloud backups.
Also wven if it does not exhilarated user data now, it's one update from doing that tomorrow. Quite possible even via a targeted update on some specific people "not in favor".
If it was open source there is some chance a backdoor would be spotted (eq. by Linux distropackage msintainers), but not when a company is pushing obfuscated binary blobs preatty much directly to users.
Well, not directly, for most people that would be via Apple/Google stores.
And of course these stores could have secret functionality for shipping targeted updates.
But if it exists, this means that 1) none of the developers working on the store backend decided to leak info about it and 2) none of the targets have had an expert look at their device to find an unusual update that wasn't seen by anyone else.
Over time, the probability of either of those things happening would be going up…
Having the higher-level source code just makes it a lot easier.
But if WhatsApp did this, it would probably be noticed pretty quickly by experts. But like I said above, Whatsapp's achilles heel isn't really the E2E encryption. It's the cloud backups.