If you're referring to Signal, there are multiple third parties you need to trust - from the phone manufacturer could be logging your keystrokes to the App Store owner that could be substituting a spyware binary (most people don't verify package signatures) to the Signal developers one of whom could be introducing a backdoor security flaw into the code that wasn't noticed by others.