They weren't though? Signal requires a phone number to sign up and it is linked to your account but your phone number is not used in the under the hood account or device identification, it is not shared by default, your number can be entirely removed from contact disovery if you wish, and even if they got a warrant or were tapping signal infra directly, it'd be extremely non trivial to extract user phone numbers.

https://signal.org/blog/phone-number-privacy-usernames/

https://signal.org/blog/sealed-sender/

https://signal.org/blog/private-contact-discovery/

https://signal.org/blog/building-faster-oram/

https://signal.org/blog/signal-private-group-system/

Absolutely nothing in this article is related to feds using conversation metadata to map participants, so, no they weren’t.

Signal's use of phone numbers is the least of your issues if you've reached this level of inspection. Signal could be the most pristine perfect thing in the world, and the traffic from the rest of your phone is exactly as exposing as your phone number is when your enemy is the US government who can force cooperation from the infrastructure providers.

I talked to Moxie about this 20 years ago at DefCon and he shrugged his shoulders and said "well... it's better than the alternative." He has a point. Signal is probably better than Facebook Messenger or SMS. Maybe there's a market for something better.

I could have sworn Signal adopted usernames sometime back, but in my eyes its a little too late.

Suppose they didn't require that. Wouldn't that open themselves up to DDoS? An angry nation or ransom-seeker could direct bots to create accounts and stuff them with noise.