If I'm using a WhatsApp mobile app written by WhatsApp and distributed as a binary, I really only have WhatsApp's word that there are only two ends to the conversation, not three. There's nothing to stop them relaying messages to a third party using any one of a number of mechanisms, which may or may not be able to be exposed by traffic monitoring or decompilation of the binary.
The lesson in all this is that if you want to assure yourself of secure end-to-end communications, you have to control at least your own "end", preferably separating the two concerns of encryption/decryption and transmission of the message such that those concerns can be handled by different pieces of software.
I assume that sensible terrorists whose lives depend on communications security don't rely on blind trust of tech companies and apply defence in depth, or hide in clear sight communicating using LOLcats, Youtube comments, or whatever.
Which in turn suggests that GCHQ can only ever hope to capture idiots and/or people who don't think they are doing anything wrong.