A backdoor would be a feature of the service (be it on server or clientside) that'd explicitly allow for data exfiltration. The service provider complying with metadata requests and having vulnerabilities in their software are not backdoors, unless you can demonstrate that the metadata are oversharing info, or that the vulnerabilities are intentional.