What exactly prevents them from doing a Windows build with an non-published change, signing it with the keys they control, and pushing it to an individual client through the upgrade servers which they control?
Desktop clients communicate through mobile clients, so they don't have access to the key material.
I don't believe that is the case. You can turn your phone off and the Signal desktop client will continue to work just fine.