My guess is that Signal has been compromised by the state for a very long time. The dead canary is their steadfast refusal to update their privacy policy which opens with "Signal is designed to never collect or store any sensitive information." even though they started keeping user's name, phone number, photo, and a list of their contacts permanently in the cloud years ago. Even more recently they started keeping message content itself in the cloud in some cases and have still refused to update their policy.

All the data signal keeps in the cloud is protected by a pin and SGX. Pins are easy to brute force or collect, SGX could be backdoored, but in any case it's leaky and there have already been published attacks on it (and on signal). see https://web.archive.org/web/20250117232443/https://www.vice.... and https://community.signalusers.org/t/sgx-cacheout-sgaxe-attac...