Sure. If you want full control, you need to run your own server.
Matrix crosses my mind.
But using that is a different animal than installing an app from a store.
As far as security when communicating conveniently on mobile phone goes, Signal does a pretty good job. But you’re right that it’s important to realize what’s possible and what’s not possible.

And you seriously think most people would look at and act on such an icon instead of just ignoring it?

Yeah, the never-ending weighting between convenience and security.
But are you going to tell me that those people don’t have Whatsapp, Threema, Telegram or any other IM installed and just use plain SMS instead?

Handling SMS and handling secure/encrypted messages could’ve made people think they communicate securely while relying on text messages instead.
Not handling SMS fixes this source of confusion and I applaud their decision.

The deal is that they run their program in a very transparent and wherever possible verifiable way.
More details here: https://lemmy.world/comment/14775870

Don’t assume - verify!

If they encrypt meta data like they say they do (https://signal.org/blog/signal-is-expensive/), it should be very hard to use meta data the way you explained.
Whether they do can be looked up here (https://github.com/signalapp) by those who know what to look for.
As Signal uses reproducible builds (https://signal.org/blog/reproducible-android/), itcan be verified that the builds are made from the public source code.
They make offering a secure and trustable app a lot better (by being verifyable) than other messengers.