Signal is probably safe for the data[†], but as we know, the NSA cares even more about metadata – and since Signal's centralized servers are (all?) located in California…
[†] - then, considering stuff like this, even vetted open source code might be at risk (remember that the NSA can afford the best programmers in the world !) :
If you're worried about metadata, then you're probably best off publishing encrypted gists. Yes you have to poll to get the update, but it's better than getting hit by timing analysis.
What people? Vetting how? The problem remains: If you don't read and understand all the code (which is basically impossible for most people), then you have to trust some source of information, which in turn is based on some other source etc.
In short: You can basically never know for sure if any complex product is completely secure. You can make guesses, and the more research you do, the closer you get to an answer. At some point, you have enough information to deem a solution "secure enough" for a specific use.
For regular users, it's mostly a question of belief.
<< FinFisher malware is installed in various ways, including fake software updates, emails with fake attachments, and security flaws in popular software. Sometimes the surveillance suite is installed after the target accepts installation of a fake update to commonly used software.[2] Code which will install the malware has also been detected in emails.[17] The software, which is designed to evade detection by antivirus software, has versions which work on mobile phones of all major brands .>>
no backdoor is needed when a users behaviour will let you in. it helps greatly when the service provider co-operates
[†] - then, considering stuff like this, even vetted open source code might be at risk (remember that the NSA can afford the best programmers in the world !) :
http://underhanded-c.org/
http://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thom...