Why did you not mention that the WhatsApp apk, even on non-google play installed devices, loads google tag manager's scripts?

It is reproducibly loaded in each chat, and an MitM firewall can also confirm that. I don't know why the focus of audits like these are always on a specific part of the app or only about the cryptography parts, and not the overall behavior of what is leaked and transferred over the wire, and not about potential side channel or bypass attacks.

Transport encryption is useless if the client copies the plaintext of the messages afterwards to another server, or say an online service for translation, you know.