Open source would not help without the reproducible builds of Signal (I wonder who check them on each release?). And only builds like Molly include no binary blobs of Google [1], which could IMHO at least be used to extract some metadata. Leaving the OS still as a risk, even for Molly or Matrix clients. Even with transparency around linked devices, I would believe that few people would notice silently linked devices. Simplest thing is I guess social engineering which happened in a coordinated attack on Signal messagers of German politicians recently (I guess there should be an official signal app version not supporting linked devices for such people) [2].

[1] https://news.ycombinator.com/item?id=46081855 [2] https://www.politico.eu/article/hackers-attack-phone-of-germ...