The issues people bring up with Signal are very easy for anybody with a minimally functioning brain to understand, and none of these experts are able to provide a credible answer to them.

The key issues people point out over and over is that Signal is a central server hosted in the US that harvests people's phone numbers on sign up. The users are trusting server operators with their privacy at that point because there is no way to verify how this data is used. Since the server associates real identity with the account, it is in position to map out networks of people communicating. And if this data is shared with intelligence agencies, which they wouldn't be allowed to disclose, then those can trivially correlate the personally identifiable information with all the other data they have access to.

If there's a person of interest, and you map out whom that person wants to have private conversations with, that's very useful data. Once you know that, then you can start tracking all the activities of their associates, and map out a whole network of people. Say, people organizing unions, or coordinating labor strikes, and so on.

This is an obvious problem with Signal, one that doesn't take any significant expertise to understand, and one that has never been fully addressed. People talk about things like sealed sender, but that doesn't address the problem I just outlined.

The core issue is that you have to trust the physical infrastructure rather than just the cryptography. The protocol design for sealed sender assumes the server behaves exactly as the published open source code dictates. A malicious operator can simply run modified server software that entirely ignores those privacy protections. Even if the cryptographic payload lacks a sender ID, the server still receives the raw network request and all the metadata attached to it. Your client has to talk to the server and identify itself before any messages are even sent.

When your device connects to send that sealed message, it inevitably reveals your IP address and connection timing to the server. The server also knows your IP address from when you initially registered your phone number or when you requested those temporary rate limiting tokens. By logging the raw incoming requests at the network level, a malicious server can easily correlate the IP address sending the sealed message with the IP address tied to the phone number.

Since the server must know the destination to route the message, it just links your incoming IP address to the recipient ID. Over time this builds a complete social graph of who is talking to whom. The cryptographic token merely proves you are allowed to send a message without explicitly stating who you are inside the payload. It does absolutely nothing to hide the metadata of the network connection itself from the machine receiving the data.

This once again makes it very suspicious that Signal insists on running a single centralized server.