Hi there, Signal dev here. We do, in fact, pad attachments to a limited set of bucket sizes.

Nothing stops Cloudflare from inspecting the file contents, or using a hash to distinguish between identically-sized files.

The only reason we assume they don't do this is because it's a waste of resources for no good reason. But what if somebody gave them a good reason?