So it looks like the protocol was audited, but I don’t know about the app or servers. https://www.pindrop.com/article/audit-signal-protocol-finds-secure-trustworthy/

Apparently this is a tough problem for mobile devices… GrapheneOS (security hardened OS based on Android) took months to fix a leak someone reported, and had to collaborate with the VPN app providers to do it https://github.com/GrapheneOS/os-issue-tracker/issues/3442