So a compromised device is not unique to a US based company. A warrant can be issued to seize the device and that could happen with any other messaging service. It is fine to not like signal, and there are several reasons not to do so.
What I do have an issue with is the idea that signal is insecure or that federal agencies can very easily peek at your messages. Because that is not how encrypted messaging works. Signal does not have access to your private key. Your private key never makes its way to the signal server. Which even if the server was not running the code they have published, a NSL still wouldn’t let the government decrypt your message. Signal can be forced to disclose your public key, time stamps of your message, who you are texting, etc. But not the content of your message. Nor can they be forces to disclose anything that would give someone access to said content. Again because signal does not have access to that information. If you are concerned that signal could be publishing binaries that don’t reflect the source code, you can build the published source code and use that. But when your threat model is at that point you are beyond the scope of the original post.
The difference between signal and lavabit when it comes to key disclosure laws is how the services were set up. Lavabit required encrypted communication with the server to access, send, etc your emails. Which means the server side needed a private key that a NSL could force them to disclose. Signal is a little different. Private keys are held by the users and never make it to the server. Where yes a user could be forced to disclose that key, but again that could happen with any messaging server. It is not unique to the service you’re using being based in the US.
And this is also completely ignore the fact that signal utilizes double ratcheting which provides some inherent protection for compromised private keys (assuming you and the other person are deleting messages automatically). I would also like to mention that the signal protocol/double ratcheting/how signal does messaging is not unique to signal. It is utilized by a large number of services including matrix.
All of those are valid concerns. I think this is more the answer I was looking for out of my initial question. I was concerned about people saying signal a large security risk or barely grants any privacy.
I think my understanding I have gotten out of has been issues related to metadata, signal’s poor record of open source, and I also agree that centralization is bad.
I’m hesitant to say that there isn’t an application for signal. I think I would still recommend signal to my family, who aren’t very tech savvy, as a drop in replacement for sms/whatsapp because the experience is largely what they would expect out of a messaging app. But I think going forward, I agree that matrix is looking like a good option. And briar is really good if anonymity is a concern.
I want to say thanks for your patience in talking with me. I did learn a lot.