[01HNNWZ0MV43FF]

That threat model for Signal worries me.

If I was the US government, I'd push Google Play to offer compromised updates of Signal silently to a few people I was interested in. Even among the highly-technical, who is going to be inspecting binaries installed on a phone regularly?

Does Signal even have reproducible builds? How do I know the code matches the binary?

I'd make my own messenger.... but I don't have the money for that at all.

I wish these risks could be split up and handled separately - Suppose I run a private dark network for me and my friends, and then the GUI for chatting over it runs in a sandbox where it can only message servers that I control, using public/private keys that I control.

Conflating a million lines of Java GUI code with "Noise is a simple and secure protocol" seems like a big attack surface.