It sends messages through Google's messaging framework. Of course the messages are end to end encrypted, so there's no security risk. It's just really hard to set up a global push messaging framework unless you have the clout of, say, Google.
I believe it doesn't actually send the message content through GCM anymore, but just notifies the client that a new message is available and tells it to connect to Open Whisper Systems' server for the content.
