[jeroenhd]

Almost all of WhatsApp has been E2EE for years, based on the same protocol Signal uses. This goes for text messages (personal and groups) and calls. Cloud backups are not encrypted by default, but encryption can be enabled.

WhatsApp doesn't have an open source client so verification is difficult. However, if someone were able to break the encryption, I'm sure it'd be in the headlines of most newspapers.

One exception is WhatsApp business: I don't know the details, but Facebook offers a service where they will do some chat automation for your business which means they must receive the keys.

In terms of security: key changes are automatically accepted. They are hidden by default, but by toggling a setting every time a user updates their keys, a message will be introduced into the chat. QR code key validation has been in the app for years now, though I doubt many users are using the feature.

[mulmen]

How do you tell the difference between true E2EE and Zoom E2EE where FB decrypts the message in the middle? Or otherwise backdoors the exchange, perhaps outside the Signal protocol? Ultimately you are trusting Facebook to tell the truth here.

[salawat]

You read the bloody code, and you run the infrastructure. Not your hardware, not your system. There is no alternative.