Quoted from article [1] on how someone 'hacked' some Brazil politicians:
"A hacker with little technical skill and no specialized equipment could, it turned out, do quite a bit of damage with access to someone's voicemail. Delgatti, for instance, figured out he could use this VoIP spoofing technique to target Telegram accounts. At the time, when a Telegram user wanted to attach their account to a new device, they had the option of requesting a verification code via an automated voice call from Telegram. Delgatti realized that he could spoof a victim's phone to request that code. Then, if Telegram's automated voice call didn't get through—because Delgatti initiated the hack late at night while his victim slept, or kept the line busy by calling his victim at the same time—the code would be sent to the person's voicemail. He could then spoof the target's phone once again to gain access to their voicemail, retrieve the verification code, and then add the victim's Telegram to his own device. After that, he could download their entire chat history from the cloud."
I think the least everyone who wanna continue using telegram must do is enable 'two-step verification' in Telegram settings.
Or use Signal. Or Wire if you don't wanna expose phone number. But Wire stores metadata.
Edit: Yeah WA is e2e by default. But if you or your friend has enabled backing up chats to Google account, everything will be backed up in plain/weak encryption. Also at least in android, WhatsApp automatically stores all received/sent pics, videos etc in a folder named WhatsApp which is available to any app with storage permission.
In practical terms, non secret chats messages are stored, more or less cleartext, on Telegram servers. In this sense, yes, it is much less secure than Whatsapp. Though I don't know if, in whatsapp, the metadata is also e2e encrypted
Yes, it is much worse than WhatsApp.
I use it because it has global searchable groups.
Also you can make it such at other people who chat with you will not be able to see your phone number.
Whatsapp has a nag screen about backups on like every other startup and the backups are plaintext in Google Drive (not sure about the iOS version). So if your contacts just use the defaults you are not better off.