This is a tricky question that can’t be answered on computers either even if you run Linux since the package manager can be compromised etc. In case of phones, best bet would be GrapheneOS with verified boot so there isn’t a chance it’d get infected.

The cloudflare concerns aren’t an issue as long as you run your own instance, or join one that doesn’t use cloudflare. There’s nothing requiring cloudflare built into the software or the protocol.

Yeah, but the vast majority of non-technical users don’t bother to change homeservers, or even clients, so it could affect them. What puzzles me is why the Matrix/Element team chose Cloudflare for app.element.io, (matrix.org uses LetsEncrypt), when CF aims to centralize the web and is a privacy nightmare. It’s more of an ethics thing, in my opinon. But sure, like I mentioned too, could be solved by switching homeservers/clients but the vast majority of users won’t bother.

Signal has done their fair share of shady things like not releasing the source code for a year to implement some cryptocurrency and the closed-source anti-spam program running on their servers, but that can be mitigated anyhow since Signal works without trusting the server. It’s far better than other alternatives, anyways.

Yeah, even with various patches, it’s still lacking.

https://www.justsecurity.org/10318/video-clip-director-nsa-cia-we-kill-people-based-metadata/

And I believe there was a tweet somewhere, if I find it, I’ll link it.

Agreed, many people would like to use what they call “integrations” aka “bots” for those coming from Discord, which wouldn’t be unencrypted, and as you mentioned stickers. Signal/XMPP is my messenger of choice at the moment.

Yep, exactly. Here everyone and their grandma still uses Facebook without even batting an eye or caring about them as a company.