My point was that even one phone with the WhatsApp app itself can mean compromised opsec. No matter if it’s used for operational communication or not, or whether or not the messages can be read by 3rd parties or not.

Doesn’t really matter, it’s the metadata that reveals your connections and locations. Surprisingly big amount of useful (but not necessarily correct or verifiable) intel can be gathered without eavesdropping into the actual conversations. People have been - on other occasions - targeted because they were connected to a person, who’s connections may have been suspicious to some state actors.