* There is no OS verified path to install Signal or updates without being in Google/Apple proprietary ecosystems and submitting some usage metrics to them.
* You can't use signal on minority market share platforms even if they offer higher assurances of freedom, privacy, and security (RISC-V, OpenPOWER, etc.)
* Getting a phone number requires KYC in over 200 countries and carriers will happily sell you out as extensively documented and demonstrated by journalists buying owner info and GPS coordinates for any given phone numbers. Any service that hard requires a phone number is not prioritizing privacy.
* All metadata and TCP/IP metadata flows to a SPOF where signal employees, the ISP, or another entity inline could use network heuristics to deanonymize users, of dump the weak keys in SGX and get actual contact lists directly.
* If you want to use a privacy respecting signature verifying app store solution like F-Droid you are SOL. Moxie threatened to fight F-Droid or any other parties compiling/signing binaries from source code or doing forks or alternative implementations. He wishes to have complete control and the ability to rapidly push updates to all users quickly, be they benign or malicious. If someone coerces the signing key out of them, all signal conversations globally could be decrypted likely before anyone noticed.
I call all of this behaviour very privacy hostile. Published source code is moot if you are not allowed to use it or empower third parties like f-droid to hold it accountable.
