It looks like it would be possible. The fact that WhatsApp also doesn't encrypt the sent messages etc. is already known so I wouldn't wonder if in this behavior also is an security-issue If we would "outsource" the search for contacts in an own app we may can build a "security" layer into it so that we decide which Numbers are send to WhatsApp to check if they have an Account?! - At least this would be a little bit more "secure" But I dunno how exactly the contact-thing works so these are just my thoughts without background information...