If they get a wiretap order and your client can normally achieve a direct connection with a particular user, they could just emulate connection failure and the clients would revert to using the proxy without informing the user (after all, they are designed to do that for the sake of resilience of the user experience). You can probably see where the traffic is going, the client may even tell you without you having to dig far, but you won't know if you are going via the middle-man server(s) because of a general network issue that is stopping a direct connection being possible or if it is because of a wire-tap.
I have a sideband connection to a server, and I tell it to route my negotiation packets to my peer's sideband connection. I literally never even touch a UDP port or connection, and the library I uses establishes a connection using STUN(-light). And from having read the source, it doesn't explicitly determine or set the mapping (using uPNP) either.
Right, that's why TURN is part of ICE.