They explained it to some extent here: https://engineering.fb.com/2024/03/06/security/whatsapp-mess...

Sorry to be "that guy", because I don't know the details of how WhatsApp does E2EE, but in any proper (as in secure and private) implementation the only thing that should matter is whether the client follows the spec? You might as well ask, how does $browser work with HTTPS?