Well outside of the general open source and E2EE stuff, there are a few more things.

They’re under a non-profit foundation and charity to which donating is tax-deducatble. That means they have to publicice their financial numbers. Selling data would generate a sudden revenue, which would draw attention.

They also regularily do external audits, both from external audit organisations as individuals. This list was made in august 2022, you can likely find a newer list somewhere. I just did a quick search for you. https://community.signalusers.org/t/overview-of-third-party-security-audits/13243

Signal also runs perfectly fine without anything Google btw. It uses PlayServices only if you have it on your phone (otherwise it just uses WebSockets), as it preserves battery life. However, it doesn’t actually send data to Google over PlayServices. Instead it sends an empty notification, which wakes the phone and is recognised by Signal as a trigger to make it connect to Signal servers to grab data directly from there. If you wish, you can check this in the code yourself. I guess you may also be able to confirm this looking at network traffic from and to your phone.

Also a note on the E2EE. Another important thing is that not only the message is encrypted, but also the metadata. Unlike most other chatapps like WhatsApp; who knows where you are, who you talk to, how often, etc. You could theoretically also check this by checking outgoing traffic if you wish.

This also means that unless they somehow secretly have a copy of your private key, there is no data for them to sell anyways. The fact that even in court they’ve didn’t have data to show, them passing many external audits without this being a point (sometimes issues are found, which is normal. If audits are always perfect I’d be more warry. But never on this point afaik), and that nothing in the code nor internet traffic points to them possibly having this, makes me not that worried about the idea that they secretly got a copy of peoples private keys.

So overal while it’s perhaps technically possible they secretly run something else on their server and build a back door to read your messages, they are many things that show they don’t, and literally nothing that would say they do. And neither does there seem to be any reason why, since they can’t sell it nor give it in court. So unless you believe they have some evil bigger plan, I don’t see the reason to doubt.

And a little note. Privacy people can be crazy, and I say that in a positive way! If you can check it, people no doubt have, and issues would’ve been found. Yet many people deep into it still vouch for it. That says something. And the less crazy people profit of this. This is similar to why many big FOSS projects are considered safe even if you didn’t check all code yourself. And before you say “but if everyone thinks like that”, realise that the craziest don’t trust other people either. While smaller projects could hide perhaps, the real big/famous projects like Signal, Linux, LibreOffice, etc would fall trough as soon as they start doing shit.

Why does Signal need my phone number?

Signal is subject to National Security Letters in the U.S.

Signal received funding from Radio Free Asia owned by the U.S. Agency for Global Media with ties to the CIA.

They seem to have a history of needing quite some time to release the server source code.

Here are some articles to read about Signal:

https://yasha.substack.com/p/signal-is-a-government-op-85e

https://www.androidpolice.com/2021/04/06/it-looks-like-signal-isnt-as-open-source-as-you-thought-it-was-anymore/

https://github.com/signalapp/Signal-Android/issues/8974