Say WhatsApp receives a request from some government saying they need the data. Period. WhatsApp complies by setting some flag on your account and now your client isn't doing proper E2E encryption anymore and it's all up to be intercepted. And when someone not on an intercept list goes to audit the network traffic, it all looks fine. Infinite possibilities here.
What makes people trust the advertised E2E encryption is really happening when they most need? Faith in these companies?
Peer review. And it's a moving target, skype used to be the recommended one back in the day, when it was decentralized. Right now openwhisper based systems are one of the better ones we have (so whatsapp and signal) that are sanely accessible with decent features.
In principle, yes; in practice, most users are completely unable to assess whether the E2EE is effective in any way. How can you review the implementation does what the vendor says it does?
And even if they did, how do we now when they make you use the open source version of protocol and when they switch to a government-mandated (or cracker-pwned) protocol version for selected customers?
And even there, to be absolutely sure, you'd have to have a well-sanitized environment (say, start from ensuring that when you build your application from sources, you know all the source code, and you know your compilers and libraries aren't pwned, and you know your hardware wasn't hacked by e.g. some BIOS-resident vulnerabilities.)
It's pretty depressing, actually. A determined adversary with intelligence-service level resources can get a lot done. Your main hope is to be such an insignificant target that they don't want to waste resources, e.g. expose 0-day vulnerabilities etc to get just you.
