At least on android, most whatsapp data is stored in a folder named whatsapp, which can be accessed by any app with storage permission. So you can see all sent/received images and videos in photo viewer apps etc. Signal stores them in a place which at least in Android 11 can't be accessed by other apps.
Or cripple projects that remove that telemetry (see Vscodium which cannot use remote extensions and the new default LSP named Pylance, because Microsoft forbids it).
Quoted from article [1] on how someone 'hacked' some Brazil politicians:
"A hacker with little technical skill and no specialized equipment could, it turned out, do quite a bit of damage with access to someone's voicemail. Delgatti, for instance, figured out he could use this VoIP spoofing technique to target Telegram accounts. At the time, when a Telegram user wanted to attach their account to a new device, they had the option of requesting a verification code via an automated voice call from Telegram. Delgatti realized that he could spoof a victim's phone to request that code. Then, if Telegram's automated voice call didn't get through—because Delgatti initiated the hack late at night while his victim slept, or kept the line busy by calling his victim at the same time—the code would be sent to the person's voicemail. He could then spoof the target's phone once again to gain access to their voicemail, retrieve the verification code, and then add the victim's Telegram to his own device. After that, he could download their entire chat history from the cloud."
I think the least everyone who wanna continue using telegram must do is enable 'two-step verification' in Telegram settings.
Or use Signal. Or Wire if you don't wanna expose phone number. But Wire stores metadata.
Edit: Yeah WA is e2e by default. But if you or your friend has enabled backing up chats to Google account, everything will be backed up in plain/weak encryption. Also at least in android, WhatsApp automatically stores all received/sent pics, videos etc in a folder named WhatsApp which is available to any app with storage permission.
Magic Wormhole has a good implementation in Go, which is compatible with the original Python implementation (croc is not compatible with magic wormhole). It has windows binary and binaries for most of the popular OS.