I would say the same that the developers of Signal as they own and update the code so they have a lot of responsibility to not to leak or steal everyone's private messages. It's in Google's interest to have a healthy platform that people trust. They don't want people to associate Android with having your private messages leaked.
I still don't see why it would be Google's fault if there was a vulnerability in an app. Would you also say it is their fault if I enter my personal information into a vulnerable site on Google Chrome?
It doesn't have to be their fault to be their problem. Google does take steps to protect Google Chrome users from being phished, because this causes problems for them.
