From the article:

> According to the 115-page complaint, Baig discovered through

> internal security testing that WhatsApp engineers could “move

> or steal user data” including contact information, IP addresses

> and profile photos “without detection or audit trail”.

That isn't really the breach you're making it out to be. Profile photos, unless made private/contacts only, are already publicly visible, and so is "contact information".

Of course these are useful to intelligence services, but this doesn't mean that Baig found they don't have true end-to-end encryption.