The cool thing about phones is that you can MITM yourself and see what apps are sending, assuming they don't certificate pin (which TikTok doesn't). The person that reported this during the beta period didn't find any evidence when doing so.
Can you actually still widely do this? Last time I checked on the latest versions of Android apps don't accept user certificates so you can't really do much about any https traffic, which really is the bulk.
You can, on a rooted phone. There's ways to install a CA certificate with root (described in my only popular blog post) but there's also alternatives, like using Frida to disable TLS verification all together.
It's certainly not as easy and reliable as it used to be, but it's still common for security research to use these tactics to see what apps are doing.
The basis of many enterprise networks is device-installed CAs so I would be thoroughly surprised. iOS at least still allows you to install a custom CA and only a few apps will refuse to work with it, who likely reject connections that aren't secured via a specific CA.
There is also another cool feature of moderns phones - updates. Unless a corporation can prove that each and every single release and test version in the past and the future didn't and will not do something, then it is always possible that some versions did this or will be doing in the future.