With reproducible builds like Signal does you can be sure the app you've downloaded matches the source code that's been audited:

https://github.com/signalapp/Signal-Android/blob/main/reprod...

FOSS is however a prerequisite to Kerckhoff's principle https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Those two claims are independent. Centralized FOSS software cannot do this, since you can audit the source, compile it, and use it that way.

Open source is not a requirement for security, sure, but it's much easier to secure OSS.

Unlike the proprietary stuff there isn't a strong built incentive to remove it.