In the case of GIPHY that you mentioned, they are sending IP addresses, which is considered PII (according to GDPR), and this should be outlined in the terms and agreed to by the user prior to sending the data.
Signal's privacy terms were last updated in 2018. We are in 2025 now. It is unimaginable for any operational organization not to update their terms for 7 years.
All together, this is what I call "unacceptably poor" in terms of handling users' privacy.
As a privacy-concious user, I always get suspicious abouy privacy policy changes. They always become more loose instead of doing anything to my advantage. Typically because company has found a new way to use my data to make money and their lawyers realized that this requires relaxing the privacy policy. It's a good thing Signal is not playing that game.
It's true that having to disclose your phone number to the service and especially to other users is now a significant drawback compared to internet-first services like WhatsApp that use entirely separate identifiers. Many people have raised this objection, and to their credit they've at last rearchitected to allow exchanging messages using user names and without your phone number being disclosed to the other party.
They still have the phone number at the core of account registration, I suspect for similar reasons to the use of a (one-time sign up) captcha: because they raise the cost to create spam accounts. I'd understand if that's not acceptable to you, but I don't think "unacceptably poor" is a reasonable assessment of their handling of user privacy.
Another example of their approach to privacy: they went to great lengths to design their Giphy search to avoid revealing your search terms to them or your IP address to Giphy: https://signal.org/blog/giphy-experiment/