I read comments from popular cybersecurity blog in other language than english. They commented that Signal does not deny that when adversary gains root on Android then it is game over.
Of course when an attacker gains Root, Sudo, or full Admin its over. Speaking from my linux perspective (its the same on most systems though); sudo = super user do. Its like being God, what instructions sudo issues are carried out without question. The point is to run as a user and never allow sudo unless its YOU and performed locally only.
Actually, Cellebrite gained Root on an unlocked device: https://twitter.com/moxie/status/1337434126186553345
Note that for extra security, Android users can also install the Molly fork, which can protect the app with a passphrase and some more features: https://github.com/mollyim/mollyim-android
Turnabout: It looks like phone-cracking company Cellebrite had its own vulnerabilities exposed https://www.cyberscoop.com/cellebrite-signal-moxie-marlinspike-ufed/
The actual blog post: https://signal.org/blog/cellebrite-vulnerabilities/ Lol it looks like Cellebrites security is a raging dumpster fire: Quite brilliant IMHO, but on the other hand the legal battle against encrypted messaging apps is already bad, doing this might put Signal on a bigger risk of being banned.