Users could verify if they have been MITMed by verifying the Security Number (just tap on a contact, view contact details -> Encryption). This assumes the WhatsApp app doesn't just display the old safety number.
Indeed. I'm working under the assumption that the client itself is sound.
The question is: how many users will actually check the Security Number, and recheck all the security numbers now that they were made aware of having to turn on the notification.
What WhatsApp is doing here is like using a self signed certificate to do TLS (your own fault if you did not check the cert yourself using whatever out-of-bands method available) and on top of that the TLS client later by default will not tell you when that self-signed cert changes (and you therefore need to recheck it) and for added bonus routing all traffic through them.
Users could verify if they have been MITMed by verifying the Security Number (just tap on a contact, view contact details -> Encryption). This assumes the WhatsApp app doesn't just display the old safety number.