It's very simple, the vast majority of popular chat applications out there don't have open source backends. Which means we basically have to trust their owners to do the right things and hope for the best.
The business model of choice in this space is to (sometimes) have partially open source clients but almost never use OSS in the backend. There's a lot of secret sauce and magic that these companies use to differentiate from each other and most of that is proprietary. This provides these companies with a control point to lock in their users to their network.
For the same reason attempts at standardization of protocols and federating chats and calls between networks have largely stalled/failed. XMPP is technically still around; it's just that none of the popular solutions in this space use it.
I'd say Signal is the positive exception in this space where both server and client are OSS and the client UX is pretty decent. Telegram talks a lot about security as well but their OSS seems limited to mostly client side. Of course a lot of the crypto is client side so depending on how paranoid you are that may or may not be good enough. Either way there probably is a lot of server side stuff that is relevant to end to end security that is not being scrutinized outside Telegram.
For both, even if the client is OSS, what goes into the app stores may still include stuff not accounted for in the source code. Auditing the source code and the binaries are two things. And then there's the runtime environment to consider, which is a OS that is probably proprietary that includes lots of stuff that is a bit icky from a security point of view.
So, there's multiple levels of "trust us, we know what we are doing" that you'd have to buy into in order to feel secure. IMHO that has been a problem for a while but most people/companies seem to be indifferent when it comes to security and happily pay through their nose for 100% proprietary security snake oil peddled by the sales people of e.g. MS, Zoom, Slack, etc.
> the vast majority of popular chat applications out there don't have open source backends. Which means we basically have to trust their owners to do the right things and hope for the best.
Err, if that were the case, then why do we bother with encryption at all? End to end encryption means you don't need to trust the owners, at least for message contents. For metadata, yeah, that's why I choose not to use a known-bad company like Facebook (i.e. WhatsApp) and would rather use Signal or Wire and hope for the best, but that's only metadata. Doesn't mean I trust Wire with the contents of my communication, at least when verifying people's keys.
Assuming you use stuff like this, that would be a good question to ask yourself. IMHO it probably helps a little bit keeping some people out but I have few illusions that the likes of the NSA, Russian, Chineses, North Korean, and other intelligence agencies don't know of dozens ways to listen in if they choose to with varying levels of easiness/convenience. As I like to point out, assuming it's only your friendly local security agencies listening in would be a misguided assumption.
In any case, I use zoom, google meets, slack, skype, facebook messenger, whatsapp, probably a few more things regularly both privately and for work. I'd prefer using Signal more but the people that reach out to call me and the people that use Signal are basically a Venn diagram consisting of two separate circles. I've never actually done a call via Signal. I'm assuming it actually has this feature, but I'm not even sure it does ;-)
Signal supports one to one calls. Basically it's a secure alternative to the way you'd normally use your phone. As you see in this thread, multi-party secure video conferencing is hard and Signal's preference is just not to do things until they can see how to do them securely and then implement that.
Hence not having "kick member from group" for ages after adding groups. Most alternatives just have the server know who is in the group and then the server can manage it, but now the server owners can know who is in which groups and secretly join and leave any group - so Signal had to invent a whole bunch of new techniques.
The business model of choice in this space is to (sometimes) have partially open source clients but almost never use OSS in the backend. There's a lot of secret sauce and magic that these companies use to differentiate from each other and most of that is proprietary. This provides these companies with a control point to lock in their users to their network.
For the same reason attempts at standardization of protocols and federating chats and calls between networks have largely stalled/failed. XMPP is technically still around; it's just that none of the popular solutions in this space use it.
I'd say Signal is the positive exception in this space where both server and client are OSS and the client UX is pretty decent. Telegram talks a lot about security as well but their OSS seems limited to mostly client side. Of course a lot of the crypto is client side so depending on how paranoid you are that may or may not be good enough. Either way there probably is a lot of server side stuff that is relevant to end to end security that is not being scrutinized outside Telegram.
For both, even if the client is OSS, what goes into the app stores may still include stuff not accounted for in the source code. Auditing the source code and the binaries are two things. And then there's the runtime environment to consider, which is a OS that is probably proprietary that includes lots of stuff that is a bit icky from a security point of view.
So, there's multiple levels of "trust us, we know what we are doing" that you'd have to buy into in order to feel secure. IMHO that has been a problem for a while but most people/companies seem to be indifferent when it comes to security and happily pay through their nose for 100% proprietary security snake oil peddled by the sales people of e.g. MS, Zoom, Slack, etc.