Instant Messaging (IM)
Real-time Text Transmission via Internet
Actually also an alternative to questionable messengers from FB (WA, FB Messenger) and other simply insecure solutions …
But the Signal Foundation uses the cloud of Amazon and Google and I am not comfortable with that (close cooperation with the CIA).
Server Version was Open Source
Suspicious: the source code of the server version has not been updated on GitHub for almost a year. Quasi unofficial end of open source (was previously open source including the server version) …
New Functions with Vulnerabilities
In recent months, Signal has introduced a number of new features to make its app more user-friendly. One of these features has recently caused controversy with users. This is a contact list backup feature, which is based on a new system called Secure Value Recovery (SVR). The SVR feature allows Signal to upload your contacts to Signal's servers without – supposedly – Signal itself being able to access them. However, SVR and the RAM encryption used (Intel: SGX, AMD: SEV) already have exploited vulnerabilities!
The PIN at Signal is no «PIN»
Unfortunately, the «PIN» in the Signal app was initially introduced by force (you were coerced into setting it up) without proper explanation of what it really is.
Later, the Signal developers made this PIN function, which was not properly explained, deselectable.
However, this PIN is not used to secure your local data on the device, as one would think!
I strongly recommend you read the blog article by cryptologist Matthew Green (see References down below). Short version: Signal wants to use this «PIN» to encrypt your contact list (surely later also chat histories and more) on its servers, but if the password is too short, your data are not secure! The technology used has vulnerabilities (see above) – possibly deliberately with pressure from the authorities?
No insecure Data Backup at Signal without PIN
Actually, I can only advise against using the PIN in Signal. Perhaps users will soon be forced to set a PIN again, as they were when this SVR technology was introduced. Then it will no longer be possible to prevent contact data from being uploaded. That is a no-go.
Registration lock requires PIN
But if you want to prevent someone from secretly gaining access via the multi-device functionality, you have to set the registration lock. And that in turn requires the PIN, which I don't like because of the vulnerabilities (see above). If you believe that the known vulnerabilities are not yet being exploited as a backdoor, continue to use Signal at your own risk, but to be on the safe side, set a very long, very good password as the PIN. Under no circumstances should this be the device PIN!