I was told that IP whitelisting should not be considered safe and are hence obsolete.
I fail to understand why this statement holds: can IPs be impersonated? if not, then why is it a bad/obsolete way of securing a service? (assuming the traffic can't be sniffed)
As with many/most/all things in security, this will depend on the threat model of the service(s) you're looking to protect.
The downside of IP address whitelisting as a single control is that it assumes that you can trust all the traffic that comes from the white listed addresses, which is often not a great assumption to make, especially on larger networks. On a smaller network where you control all the endpoints though, it might be a reasonable control to use.
Also, it's often not a bad control layer to use as part of an overall security plan. For example white-listing on the Internet, where you're only expecting traffic from a small number of source IP addresses, can cut a load of noise and random attacks off from targeting your service.
To provide one example of why you may not want to rely solely on white-listing. Imagine a scenario where you white-list a network for access to a service, and then within the white-listed network, someone starts a proxy server. Now untrusted users can use that proxy server to access your service.
Whitelisting itself is not a great security measure. With whitelisting, you are trusting the network(s) behind those IPs to be 100% secure, without any way to obtain a physical connection (a spare hot jack somewhere), wireless connection (including IOT devices that typically have weak default passwords), VPN access (lack of 2FA/MFA, etc), able to block all Remote Access Trojans, etc.
Very few networks get all of this security correct, so any weakness in that network is also effectively a weakness in your whitelisted server/firewall. 2FA/MFA is the "gold standard" for modern services that need to be secured, as it prevents most types of attacks (except targeted attacks against a specific person), since users of these techs have something physical to use in addition to a password.
I wouldn't go so far as to say that whitelisting is "obsolete", as it does offer some limited protection against attacks. It's a matter of risk assessment. I would not use whitelisting as the only line of defense for something as valuable as banking or other ecommerce systems, since high value systems are prime targets for attacks, but on the other hand, whitelisting might be perfectly serviceable for your personal blog on a server you run yourself.
