It’s good enough for NSA to catch a terrorist, not necessarily useful enough for FB to produce targeted ads.

I disagree. Identifying a terrorist and their whereabouts for targeted assassination is not that different to serving personalized ads. It’s all about gathering information about the person.

True, file metadata is unaccessible like message content but I was referring to message metadata which covers ip address and phone number (as you mentioned) but also geo location (possibly live - WhatsApp is an application after all), when you communicate with whom how often. You can derive lots of info from that especially if your communication partners are more careless about their data and may maintain an active social media profile with Meta.

It’s definitely easier than finding out info about someone whose life depends on not being found - like a terrorist.

if you don’t have a FB account, or don’t use your real name there, all they’ll know is that you have a WhatsApp account, but won’t see your messages, unless someone reports your messages

They don’t need your chit-chat to profile you. Metadata profiling is where it’s at and that’s why that whole e2ee introduction was just a marketing ruse. It’s good enough for the NSA, so it’s good enough for Meta. And Meta does collect that data even without an account.

but the same can be said for other OSS alternatives;

Well, your example is not open source, so yes, you cannot trust Telegram. Signal open sourced their server code some time ago. Even with FOSS you have to stay vigilant though and complete trustlessness is hardly achievable (do you trust your device? Your carrier? Your communication partner’s? Etc.)

They asked about privacy, not security. WhatsApp is profiling you.