If the Signal Messaging LLC is compromised, then "updates", e.g., spyware, can be remotely installed on every Signal user's computer, assuming every Signal user allows "automatic updates". I don't think Signal has a setting to turn off updates

Not only does one have to worry about other Signal users being compromised, one also has to worry about a third party being compromised: the Signal Messaaging LLC