He is right actually. Currently, Signal stores recovery information including Signal PINs on highly insecure Intel SGX enclaves, which have many security vulnerabilities. It’s absolute madness. So if you have a 4-digit signal pin, which is easily brute-forced, then a threat actor could easily exploit SGX’s security vulnerabilities, get your Signal pin, then use that to look at your contacts.
Stop trusting people, start being trustless. And dont use signal pins lol
Also Signal does not have an official foss version and depends on google libraries and google play notifications, which is definitely a vulnerability