By that standard, it can never be verified because what is running and what is reviewed could be different. Reviewing relevant elements is as meaningful as reviewing all the source code.

I have to assume you have never worked on security cataloging of third party dependencies on a large code base.

Because if you had, you would realize how ridiculous it is to state that app security can't be assessed until you have read 100% of the code

That's like saying "well, we don't know how many other houses in the city might be on fire, so we should let this one burn until we know for sure"

as long as client side encryption has been audited, which to my understanding is the case, it doesn't matter. That is literally the point of encryption, communication across adversarial channels. Unless you think Facebook has broken the laws of mathematics it's impossible for them to decrypt the content of messages without the users private keys.