it’s not quite that brazen, but from what i remember the whatsapp server can push a new public key for your contact/chat to the device, which means that they can MITM you. the chat shows that the key changed, but most users wouldn’t know what that means and ignore it
In that case most users similarly won't know what reverification means and will just click through without verifying anything. It's not reasonable to say that that makes Whatsapp only as secure as Twitter DMs.