I can think of a lot of reasons why publishers of privacy and security related software would want to direct distribute their software rather than relying on 3rd parties if it is avoidable.
Signal is secure communications used not only by nerds but in situations in which privacy is a requirement for safety. In this singular case do you think its a greater security risk that someone may compromise signal and ergo your computer or that one or more of 97 different stores/repos with a multitude of different maintainers get attacked and used to first compromise your communications and then probably your computer as well?
Remember you are expecting the maintainer to not only be honest you are expecting them to secure his own machine as well.
I agree that policing a bunch of third party rebundling of apps is problematic but the entire idea of just giving up and letting user applications splat all over my system because that's how linux always has been doesn't work.