But in the client is the only time their code touches the actual unencrypted message data.
Also a lot of the data you mentioned will also not be available if you don’t use their client, eg: if you use Signal client then Facebook won’t get your location all as that’s not part of regular text message
The preview sends a request to some server on a Facebook subdomain. I know because I was sniffing traffic on my phone without any Facebook app installed other than WhatsApp.
Okay, but do they actually use any data from that? What does the privacy policy say? Have any effects been observed beyond "uses a facebook domain" (e.g. you see ads on Facebook for a site you had in preview)? Is there functional reason for using that domain?
Did you see the content of that domain? It might be spam/phishing protection, which can be done in a privacy-preserving way (e.g. sending only a truncated hash of the link TLD to a server and downloading a larger set of blocked domains for local filtering).
At least on my Mac, I also only see connections to the URL domain, nothing to a Facebook subdomain.
There’s like 1000 reasons why the domain could be used. (For example you wouldn’t want 1M phones destroying a website because it became viral on WhatsApp, hence a caching layer is probably needed)
I don’t work at Facebook on this specific system that handles link previews so I have no idea of the details.
The fact is that if they send a request containing the link I previewed which is tied to my IP which connects to my Facebook account then they can 100% correlate that information and figure it out.
Are they doing that? Maybe, maybe not. I don’t work there. But they can if they want to so it all comes down to trust. Do you trust Meta?