The topic has been e2ee, which is first and foremost about security. You can have e2ee without privacy, as is likely the case with WhatsApp.
You certainly can “prove” and “disprove” “security” by reverse engineering, to the same extent a source code review can (or even more, since you’re looking at what’s actually running on the device). It can often require a bigger time investment, but even that’s not always the case in my experience, especially if you’re working with a really bad code base.
