I co-founded Gliph, which was one of the first commercial, cross platform messaging apps to provide end to end encrypt.

One area of exposure was push notifications. I wonder if the access described wasn’t to the messages themselves but content rich notifications.

If so, both parties could be ~correct. Except the contractors would have been seeing what is technically metadata.