How can this be verified? WhatsApp isn't open source.

You could use a network traffic analyzer, Frida, or trust third party security audits that WhatsApp publishes like https://research.nccgroup.com/2021/10/27/public-report-whats...

What if it acts normal for a vast majority of users, but a user which is secretly flagged on Facebook's back end will secretly report plaintext? Or a certain list of conditions will trigger more snooping? Network traffic works for proving that the app, right now, in this exact circumstance and time and date and location etc, probably isn't snooping on me. There's lots of sneaky ways to exfiltrate data that you wouldn't notice. Imagine encoding data through the timing of requests made or the exact ordering of simultaneous requests.

>What if it acts normal for a vast majority of users, but a user which is secretly flagged on Facebook's back end will secretly report plaintext?

You can see that by reverse engineering the binary.

Software verification rarely uses the source (at least exclusively) because you can’t trust it.

Typically it’s a combination of decompiling and traffic analysis.