Last I checked Signal was not fully open source, which is iffy, believe their encryption protocol is still closed. That said its the best of a bad bunch for E2EE messaging. If you're on android I'd recommend doing what I do, which is installing from the APK on the site, manually verifying the sig locally (you can use termux for this), and then lagging ever so slightly behind on updates to avoid potential supply chain or hostile takeover attacks. This is probably over cautious for most threat profiles, but better safe than sorry imo. Also their server side stuff is close sourced, technically this isnt an issue though as long as the E2EE holds up to scrutiny though.

Edit: My information may be out of date, I cannot find any sources saying any part of the app is closed source these days, do your own research ofc but comfortable saying its the most accessible secure platform.