Reverse engineer the client-side app. You now know what the client-side app (the part that people want to be open source) is doing. You don't need to know what the server's code is doing.
Which is exactly the issue? At any time the server can request a key reset and have messages resent. I don't see how it is at all irrelevant since it is exactly what the cause is here.
The issue is that the client software being open source (rather than closed source) would do nothing to change the risk profile, so it's not worth bringing up.
If the client is open source: What the server is doing is irrelevant as long as the client is secure.
If the client is closed source: What the server is doing is irrelevant as long as the client is secure.
If the server can compromise the client, whether or not the client is open source does not matter.
People who believe that open source is a prerequisite for security are disregarding the entire discipline of reverse engineering which is a large chunk of software security expertise.
The client-server architecture is irrelevant here.
Read this, then flip the roles: https://paragonie.com/blog/2016/03/client-authenticity-is-no...
Reverse engineer the client-side app. You now know what the client-side app (the part that people want to be open source) is doing. You don't need to know what the server's code is doing.