It opens users to timing attacks.
If there are 10000 notifications per second. And across 100 incidents user A does something to cause a notification and user B receives a notification within network latency time periods, it is likely user A is talking to user B.
Whilst that seems like arbitrarily useless data, having this at the giga/peta scale that the US government is processing it, you can quickly build a map of users “talking” to users.
Now, this requires the help of other parties. You need to know that user A is using WhatsApp at the time. And yeh, you don’t know what the message is, but you know that they are hitting WhatsApps servers. And you know that within 5 minutes of User B receiving a notification, they are also then contacting WhatsApp servers.
So now you know that user A is likely talking to user B via WhatsApp.
And also user G, I X and M are also involved in this conversation.
And you bust user G on some random charge. And suddenly warrants are issued for more detailed examination of users A, B, I, X and M.
Maybe they have nothing to hide and are just old college friends. Or maybe they are a drug ring, or whatever.

It’s all the “I have nothing to hide”, phones being tied to a person, privacy and all that.
We can’t really comprehend the data warehouse/lake/ocean level of scale required to realise what all the little pieces of meta data and tracking information being able to add up to “User A is actually this person right here right now and they bought a latte at Starbucks and got 5 loyalty points” level of tracking.

Is it likely this bad?
Probably.
Theres the “Target knows I’m pregnant before told anyone” story.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

That’s over a decade ago. It’s not let off. And you can bet that governments are operating at a level a few years beyond private industry.

So yeh, every bit of metadata counts