The WireGuard encryptions stops when data reaches their servers and the data is re-encrypted to be sent to the client. So, theoretically, they can look at all the data being passed through.

Read more here about TLS termination and TLS passthrough. https://blog.aiquiral.me/bypass-cgnat

The official service is bound to need a SSO login from bad privacy related providers. They insist in not allowing a simple account creation with just email and password.