How easy would it be for them to ship a backdoor on iOS? With Apple's DRM it should be difficult to decrypt the IPA and compare it to the source code.
If your HW/OS doesn't allow verification of binaries, but your threat model requires doing that, then you need to use proper HW/OS that allows the verification. Also, iOS is proprietary so who knows what the OS is doing anyway. Also, this https://thehackernews.com/2014/01/DROPOUTJEEP-NSA-Apple-iPho...
If you are in the EU you can build the app from source and sideload it on your phone. Everyone else is out of luck. So yeah, either Signal or Apple can insert a backdoor into the app.