I would avoid it:
- Jurisdiction and infrastructure inside EU and USA, both 14-eyes
- Contact info / identifiers / usage data / diagnostics collected through usage
- User data and/or metadata sent to parent company and/or third parties
- Reproducible builds aren’t used to verify apps against source code
- Can’t sign up to the app anonymously
- Forced to trust a centralized directory server
- Directory service could be modified to enable a MITM attack
- Only notified of a contact’s fingerprint changing when you have previously verified them
- Not all personal information is hashed to protect against certain attacks
- Metadata not encrypted
- Company logs timestamps/IP addresses
- Undocumented design and infrastructure