Or they could just store the data locally on the user's device and not transmit it back to a central server, such that the company never even has possession of the data nor any way to retrieve it? Like I get it would require a major rewrite if they weren't already doing this, but at least they'd be keeping their users safe while also having no way for authorities to gain any data.
Not necessarily. If you trust the code running on your device then there is no backdoor they could install on a server that would break e2ee. They would have to backdoor the client where the keys are.
True, unless it's open source and maybe self hosted.
Edit: Nevermind, I'm right, I have no confidence in my own intelligence lol. If the key is on the phone and the phone stores the encrypted data to the server, that'll be secure