Yes it can be. As you knows that Facebook provides API access to the application developers. If one application has all the permissions including conversation. Then after you will allow that application, it can read or send the messages from your account.
But Facebook does not provide this access easily. As it is a very big potential threat. Now Facebook checks manually for each application to give permissions. And also it has added the autogenerated token for each request has been sent from the client. So its very difficult to bypass that.
But if someone uses sniffing attack, then they can get your conversations through one network. Let us take an example: I will create one payload and send that payload in jpg file to the victim. After they will open that, then it will give all the reverse access to the server, where an attacker can access to the system and get the details. But it is external from Facebook.
Prevention : please check which permission you are Allowing while allowing a Facebook application.
Do not download any unauthorized application which you are not sure about.
Facebook messenger is the most widely used messaging with over 800 million users. Since it has a large user base, Facebook has done everything in their power to keep their social media platform as safe and secure as possible. The Secret conversations feature was released to add a layer of security to Facebook Messenger, one of the largest messaging apps today. Using Secret Conversations, the messages that users send to each other are encrypted with an end to end encryption so that intruder in the middle cant access the messages.