That’s a real problem, of course, but it seems fairly equivalent to any native app you install that can update itself or otherwise make a network request to obtain instructions.
Native apps that autoselfupdate have RCE vulnerabilities by definition and should be considered remote access malware already, before the developer release keys are compromised.
I am the reason Signal desktop now has a preference to opt out of autoupdate.
I agree with you. On the other hand, in the case of a native application, we can hope that the antivirus removes it. I hope that Microsoft has planned to update Defender accordingly.