The scariest part of this recent news is that TM Signal seem(ed) to be interoperable. People using TM Signal could interact with actual Signal users, and the conversations could be archived.
Is there a way to verify/ enforce users in a group are using the official Signal client?
Signal isn’t that kind of app. It protects your data in flight, but only has minimal protections after the recipient gets the message. It’s a whole other game to protect data at the endpoint. If you can’t trust your recipients to protect data, then you shouldn’t send them data needing protection. In order to do that you need control over all levels of the device receiving the data, hardware, operating system, file system, and software. Anything else will always leave openings for data at rest at tge destination to be compromised by untrustworthy recipients.