You’re right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn’t be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can’t read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message
You’re right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn’t be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can’t read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message