I have sympathies for this argument, though it boils down to trust. Even if you roll your own client, you still need to trust some things outside of your control, be it your build environment, your phone, whatever. But most people will use somebody else's client, so need to trust whoever built that one. Or whoever supposedly audited it. The Signal authors just play that role here. Their business model is fundamentally different that that of Google or Meta, which is a main source of trust people are putting into it. Offloading the exposure to a minimum (just the client which is open source) is another. Yes there are ways around all that for an attacker, but in the end it's a game of likelihood. A journalist or dissident fearing for their life may have a different conclusion than mom and dad who want to coordinate a birthday party without big tech reading those messages and selling them to ad companies. It's good to err on the side of caution, but acting like I am the former while in reality I'm closer to the latter user type is in the end just theatre.
The situation is not as black-and-white as you paint it. English is an ambiguous language. It's a "no op" in the sense that there is the possibility that they ship an app update in which the crypto is comprimised. Fair, that's possible, just like it's possible that your phone is backdoored or the CIA has installed hidden cameras in your bedroom. But as long as these things have not happened, specifically as long as Signal ships an app which corresponds to the code up on github which has been audited time and time again, it's not a no op and works perfectly fine. That's very different from sending a plain-text email or painting the message contents on your window. Please stop conflating these two.
