To me, this is unforgivable behaviour. Signal always positioned themselves as "open source", and the Server itself is under the best license for server software (AGPLv3 -- which raises questions about the legality of this situation).
Signal's whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. "we can never engage the community directly", "we will never merge/accept PRs", etc) has lead to its logical conclusion here, I guess. I have been somewhat of a "Signal apologist" thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I'm over Signal now.
A few years ago (2017?) I decided I would move messenger apps. The aim (and what I’ve achieved) was all my messaging going through a secure, private app.
Signal was never an option.
In 2017, Signal really was the only option. Element (Riot, back then) was really bad and didn’t feature e2ee (which only got enabled by default last year!). XMPP was and remains difficult to use (not even many people here use it, how could I expect “normal people” to use it?)
I made the choice to use Signal, and I don’t regret it. I only regret that it has taken until now that we are starting to see a glimmer of a real competitor, in the form of Matrix. But a really competitor to Whatsapp and the like, back in 2017, just didn’t exist outside of Signal.
Whenever I question Signal on Reddit, I get downvoted to hell.
In terms of privacy, I still vastly trust Signal over WhatsApp, Snapchat, etc. But they've been sketching me out more and more lately. First was them making Signal dependent on Google services. Then there was them threatening to sue projects that attempted to create forks of the project without said Google dependencies. Now it's them not disclosing the source code for their server side software.
In their defense, the client is still mostly open source, but they need to stop acting like some savior for privacy when they are so hostile to open source.
Another big problem with Signal is the fact that it's centralized with the server being located in US. Even if the protocol itself is secure with the server not having access user data, this presents a huge risk since US government can simply force Signal to shut down the service at any time. The server can also potentially collect metadata about the users providing US security agencies with user connection graphs.
I think that Matrix approach is much more sound, and would always recommend it over Signal.