1) wetransfer.com publishes '-all' in its SPF record; so, if anyone sends an fake email address email@example.com AND you have correctly configured your fortimail (with an action != accept), that email will not pass to mailbox user
2) whitelisting is LAST resource method when you cannot solve a problem in another way
So it must be used carefully and monitored continously. It shouldn't be enable as a friendly feature for non- technical users.
I.e: i have seen a lot of cases when user whitelists its entire domain...