For example?
The insistence that you use their automatically updated smartphone client makes the E2EE practically a no-op.
It's your choice to keep automatic app updates turned on. I turned it off.
In my experience that choice is available but choosing to leave it off means choosing not to use the service so it may as well not exist.
Unless they allow you to bring your own client E2EE is a no-op.
I have sympathies for this argument, though it boils down to trust. Even if you roll your own client, you still need to trust some things outside of your control, be it your build environment, your phone, whatever. But most people will use somebody else's client, so need to trust whoever built that one. Or whoever supposedly audited it. The Signal authors just play that role here. Their business model is fundamentally different that that of Google or Meta, which is a main source of trust people are putting into it. Offloading the exposure to a minimum (just the client which is open source) is another. Yes there are ways around all that for an attacker, but in the end it's a game of likelihood. A journalist or dissident fearing for their life may have a different conclusion than mom and dad who want to coordinate a birthday party without big tech reading those messages and selling them to ad companies. It's good to err on the side of caution, but acting like I am the former while in reality I'm closer to the latter user type is in the end just theatre.
There is no acceptable reason for an online service to demand your phone number IMO. There are a lot of other issues with signal though.