I’ve never built something like ICEBlock that puts me personally in the crosshairs of not just normal hacking attempts, but also the political will of the federal government. I can’t imagine the cess pool that is Joshua’s DMs. I think OP makes all the right assessments when examining how seriously ICEBlock is taking the risks here. The Android push notifications assertion is proof enough to make me raise a pretty big question, let alone the other issues raised.

Were I building something that I would want to assert the level of privacy claims that ICEBlock asserts, I would absolutely be taking any/all reports about security extremely seriously.