What happens when a so-called "tech" company that cannot be trusted wants to punch holes in the user's firewall without prior consent from the user

Purely hypothetical, of course

For example, WhatsApp tries to connect to at least two servers on UDP port 3478 without asking the user if this is what they want to do or explaining the purposes of these connections

Example server addresses are

57.144.221.54

31.13.70.48

3478 is the port used for "Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", or "STUN" for short

https://www.ietf.org/rfc/rfc3489.txt

Perhaps IPv6 would obviate the need for STUN