A minimum supported version is only about functionality and does not guarantee anything about security.
I think you are vastly underestimating how big of an attack surface Android has. There are hundreds of vulnerabilities found each month (both for the Linux kernel and AOSP). Since the Kompakt is not receiving security patches, individual app security is completely irrelevant.
There are several critical vulnerability types that the Kompakt will forever be at risk for now.
Elevation of Privilege - Malicious code that is able to exploit a vulnerability and gain root access, which compromises every single app on the device.
Remote Code Execution - Bluetooth and network connections, or even websites that are able to run malicious code on your device without any user interaction or permissions granted.
Take a look at the monthly Android Security Bulletin. Almost every bulletin has dozens of critical vulnerabilities of both types.
https://source.android.com/docs/security/bulletin
This phone will not last for years. It’s already accumulating unpatched kernel level exploits each month. It’s dangerously irresponsible to use any app with sensitive data (including whatsapp) on a device like this.