I don't use apt but I think you can use the pinning feature in apt and only allow the Signal application from Signal's repo. It doesn't solve all problems since they could add dependencies from other repos, but at least it is partly stops them from adding their own dependencies in their repo.