Random thoughts, but necessarily related to each other.
I see trusting software itself as a vulnerability. Most people discuss platforms. But there are many points in the journey of messages.
Your app may be secure, or not, but what about your computer or phone? And so on.
Generally security is about a payoff between the effort it takes to get into something vs the benefit of doing it. The harder it is to get in, the less likely. The less the value of the secured information, the less likely it is to be a target.
Nothing is absolutely secure, ever. Even systems with no known vulnerabilities cannot be complacent about being future proof.
With a high enough value, and hence enough resources thrown at breaching it, most things can be breached, which is how there are Intel leaks from the most secure of places.
Generally highest security would be among small offline groups where access is limited to very few, but obviously this is not relevant to social media/chat. And even this is no guarantee. Given enough value to the information, movements of people could be tracked to reveal networks (how spying works). And so on.
Only the truly paranoid are private with any notable assurance.
But for most casual purposes, mitigation may be adequate.
For example, applying updates diligently (will patch unintended vulnerabilities, won’t protect from govt/deliberate surveillance). Distributing information across different, perhaps competing providers. For eg, email with Google for casual purposes, less common and highly secure providers for important stuff (or better still, your own server), social media with fb, chat with other than whatsapp/Instagram (because same parent as fb), image sharing with flickr, Pinterest etc rather than Instagram and so on. (And turn notifications off, or Google gets it all)
Website hosting in another country from your own… Or physically hosting your own server…
Small sites such as this one will be less vulnerable to govt surveillance. On the other hand, admins and moderators knowing members and having full access can present risks from personal motivating.
Keeping phone numbers used for banking, tax or licences etc separate from ones used for social media…
Very often, there biggest risks come from humans, not code. Passwords that are easily guessed, installing apps and softwares with generous permissions to system resources, support staff with high access to user accounts and inadequate protocols to prevent conversational leaks of information (calling helpline to ask for use data, for example)…
Speaking of telegram and signal, etc, the fact that they go through effort to make policies with a view to protecting data is already a step in the right direction. WhatsApp learned it the hard way after this exodus and made hasty statements to reassure users that the data sharing only applied to business accounts. But trust is a fragile thing. And interacting with a business account can’t be ruled out if one is to keep using WhatsApp.
And so on.
Sorry if this destroys anyone’s sense of online safety, but online safety is mostly a myth.
Privacy, like any other right or freedom is one that must be exercised robustly to be strong.