I've often wondered if automatic updates and nag-screens are being used by bad-faith actors as vectors to sneak trojan horses into nominally-open-source apps. I tend to assume that any sufficiently-large open-source project will be well-enough scrutinized enough that they can't be used in this way but when you're obtaining binary builds somebody else made, and especially when those builds are being pushed out on an almost-daily basis for extremely mundane reasons the chain-of-trust is has several weak links. Only accepting signed binaries is not a good answer to this problem because if you aren't involved in a project then you have very little insight into how those binaries were signed or whether the private key is even private.
But even so, when stakes are high enough victim-blaming becomes both warranted and healthy. Even if there really was a deep-state conspiracy to embarrass the presidential cabinet (not that i think there was), the ultimate responsibility should still fall on their heads for not taking obvious precautions while planning an airstrike. If you can't verify that everybody in your signal conversation is actually supposed to be in the conversation, let alone that they are even who they appear to be, then it's obviously not an appropriate platform for this discussion.
But even so, when stakes are high enough victim-blaming becomes both warranted and healthy. Even if there really was a deep-state conspiracy to embarrass the presidential cabinet (not that i think there was), the ultimate responsibility should still fall on their heads for not taking obvious precautions while planning an airstrike. If you can't verify that everybody in your signal conversation is actually supposed to be in the conversation, let alone that they are even who they appear to be, then it's obviously not an appropriate platform for this discussion.