They can also tell your client it has the correct key. Yours and the other clients are all talking to their mitm in this scenario. There's fundamentally no way to solve this without users verifying keys out-of-band.
Key transparency is a public list of keys, like what CAs do. That still trusts an authority. Of course a third party could archive/republish the key list and you could trust them instead of Whatsapp, but that's what I call an out of band key verification.
These are all good measures though. It's much harder for Whatsapp to mass attack users this way.
Well, more than just that. For the published key transparency information to be trusted it has to not just be signed by WhatsApp, but also by an independent witness. In this case Cloudflare.
So for wa to do a man in the middle attack they would also need to convince Cloudflare to sign two inconsistent tree heads.