That means there’s a software switch that dumps a plaintext copy of a supposedly encrypted message when flipped.

Kinda, sorta, but no, not really. What’s happening is that the recipient is decrypting the message. When you report the message, you include a cleartext copy with your report.

The “switch” you are talking about is in the same app that is doing the decryption. For the bad actor to toggle that “switch”, they would have to control the app.

That’s a little disingenuous…

1. You receive an encrypted message.
2. You decrypt the message.
3. You report the message.
4. You forward the decrypted message.

When you send a message, no E2EE scheme can prevent your recipient from forwarding the decrypted message to a third party.