For sure, I do understand the concerns. Government subpoenas and metadata leaking are real problems, and it’s hard to design algorithms well in order to minimize the leakage. But Signal is designed in such a way that the only information that they can possibly collect on any user is (1) phone number, (2) account creation time, and (3) time of last connection with their server. This is true even if they are compelled to release information about their users, even under duress. This has played out in court many times, and Signal is unable to comply with government demands for any information other than exactly these three things: https://signal.org/bigbrother/

I’ve done 5 years of research into designing private messaging systems specifically, and the more I learn about Signal the more I believe that they’re really the gold standard of privacy, to the degree that it’s shocking that they’re a non-profit and provide their service for free. Knowing how hard it is to design a secure messenger, and how few eyes are actually on most open source projects, people should always be cautious about smaller projects promising stronger privacy guarantees.

The other concerns you brought up (anonymity, targeted government investigations, device compromise, etc.) are super valid and important. But I think Signal also does the best of any private messenger in their UI/UX design, to be as clear as possible about what they keep private. At some point, it’s not clear to me how Signal would protect users who (for example) use their full name and think they’re anonymous, or users who don’t put a password on their phone. They’ve really nailed the “private messenger” part, and I’m just trying to emphasize that the concerns in this comment thread and linked github essay are mostly unfounded, thankfully.