If you are not trusting the people that are running these things, then Signal is just another siloed messenger where the servers are controlled by a single entity. There are certainly worse but Signal is not special.
Signal has open clients with reproducible builds. We know that they are keeping their promises wrt what information is communicated with the backends. That's a step above the other options in common use, and in fact does make Signal special.
> Signal has open clients with reproducible builds.
Not really. First of all, there is only one Signal client allowed to connect to Signal’s servers. And in the real world, the vast majority of Signal uses are getting their APK for that app from the Google Play store (the Signal team has said that they prefer you to use the Play store as well, instead of direct-downloading an APK from their website which they offer only grudgingly). That means that a state-level actor could possibly carry out a targeted attack to replace the Signal app on a given person's phone with a malicious build.
Also, Signal’s reproducible build system requires a specific version of the Android development kit. It has been pointed out that a state-level actor could be sitting on vulnerabilities in that, and not in the Signal source code itself.
Both these attacks indicate a problem that doesn't have anything to do with using Signal. If the actor can replace apps on your specific phone, then you're pretty fucked no matter what app you use.
If the attack is on the android dev kit, but not on signal, then.. the attack isn't on Signal, it's on the dev kit. Unless Signal's using an unusual version of the dev kit, your risk exposure to this attack is equal to any other app that you would use instead of Signal.
> That means that a state-level actor could possibly carry out a targeted attack to replace the Signal app on a given person's phone with a malicious build.
No, they couldn't. They would need the Signal developers' key. Android requires app updates to be signed with the same key as the original app.
A state-level actor can get the Signal key either covertly or by simply marching into the Signal offices with either a warrant or (if that fails) guns. Now, whether that will actually happen is a secondary issue -- but I submit that you have a mistaken conception of what a "state-level actor" means in a threat model. The fact that Google Inc doesn't hold the necessary keys but Signal LLC does is not a meaningful distinction to a state-level actor.
That isn't to say "all crypto is hopeless", simply that you shouldn't consider Signal to be state-level actor proof.
Do you personally do that with every release (which happens every few weeks or so)? Do you know anyone who does that who is trustworthy? If not, it's a fairly useless form of protection.
That's all a smoke screen. Nobody is running an open client with a reproducible build, everybody is running whatever version is downloaded from their app store of choice.
Have you personally done that? Do you know of anyone who is doing that and publicly tracks said verification? It doesn't matter how trivial it would be to verify if nobody is actually doing the verification (not to mention you'd actually want many people doing it and publicly posting their verification, as well as you checking that your hash matches everyone else's before installing the APK -- and there is no automated setup for doing that on Android.)
I don't think any significant number of people do it. I don't use Signal specifically, but I don't even know that there is a way for me to actually do it and then track whether that matches the version the iOS app store loaded on my phone, at least not without jailbreaking the phone.
In contrast to Signal, Telegram doesn't end-to-end-encrypt messages by default (they get stored in plaintext on their servers), it also doesn't protect the social graph and even stores your contact list on their servers. Even WhatsApp is more secure than Telegram.
They are more or less the same thing if you are not trusting anyone. Both require you have to verify the key fingerprint for a particular contact (safety numbers) if you want effective end to end encryption. Both are silos. Telegram is better about distribution and can be gotten from places you might trust better (e.g. F-droid, Debian). Both have some sort of reproducible build thing going on. Both could get access to your connections to other users if they wanted where Signal also insists on access to everyone's phone number. Telegram works on desktop without also insisting you have the program running on your phone.