For most: yes, there is a risk that the vendor has included a backdoor. There is also the risk that they are straight-up lying about how their service operates.

For Signal in particular: You can verify that their claims are true because you can audit the source code.

The Signal client is open-source, so any interested parties can verify that it is A) not sending the user’s private keys to any server, and B) not transmitting any messages that are not encrypted with those keys.

Even if you choose to obtain Signal from the Google Play Store (which comes with its own set of problems), you can verify its integrity because Signal uses reproducible builds. That means it is possible for you to download the public source code, compile it yourself, and verify that the published binary is identical. See: https://github.com/signalapp/Signal-Android/tree/main/reproducible-builds

You might not have the skills or patience to do that yourself, but Signal has undergone professional audits if anyone ever discovers a backdoor, it will be major news.

You are more likely to be compromised at the OS level (e.g. screen recorders, key loggers, Microsoft Recall, etc.) than from Signal itself.

There are a handful on non-default apps I’ve used across my last 3-4 distros at least:

• mpv - the best video player, period. Minimalist UI, maximalist configuration options. I’ve been using it for many years across many OSes and at this point everything else feels wrong.

• Geany - My favorite GUI text editor on Linux.

• Foliate - the simplest eBook reader I’ve found.

• Strawberry - It’s “fine”. Honestly, I’ve never found a music player on Linux that I really liked. I keep falling back to Strawberry because it’s familiar and generally works as expected.