Signal is probably safe for the data[†], but as we know, the NSA cares even more about metadata – and since Signal's centralized servers are (all?) located in California…
[†] - then, considering stuff like this, even vetted open source code might be at risk (remember that the NSA can afford the best programmers in the world !) :
If you're worried about metadata, then you're probably best off publishing encrypted gists. Yes you have to poll to get the update, but it's better than getting hit by timing analysis.