How do you know which code Wasabi is running on their servers, though?
You don't. You only know what code is running in your local copy of Wasabi wallet, which isn't the entity doing the spying and so is irrelevant to the discussion here.
As soon as you attempt to join a coinjoin through Wasabi's coordinator, your inputs are sent away to a third party server with who knows what code running on it. From there, you have absolutely no control over what happens to your inputs, where they are stored, who gets to see them, or which other third parties they are shared with.
To be honest, I am not 100% sure right now how WabiSabi works, but in theory it uses zero-knowledge proofs for something. I just quickly checked and somehow it just uses it to hide amounts; but that wouldn't work if they wanted to implement a blacklist. They'd definitely need to know the UTXO hashes in cleartext to match them against such a list.Which in turn means that no matter how they do it, it's not even required for us to check the client-side code, because it has to provide them this information in one way or another.
I am not aware of them implementing anything in the realm of 'proving your UTXO is not in the blacklist without revealing the UTXO'. They have zkSNARK, but that doesn't cover this application.