The scariest part of this recent news is that TM Signal seem(ed) to be interoperable. People using TM Signal could interact with actual Signal users, and the conversations could be archived.
Is there a way to verify/ enforce users in a group are using the official Signal client?
Definitely. Capturing the messages isn’t my concern though as much as interacting with non authentic clients
What is your worry about non authentic clients?
Poor security implementations that would become the weakest link in the security chain