Signal have published several times when they receive a request for data and their response.

Due to the mechanisms they employ, all they can actually give is if there’s an account associated with a phone number and the last time it logged in, if even that last bit. There’s some fairly detailed articles diving into how this works so well under the hood from a cryptographic standpoint, but it basically amounts to even addresses of users being able to be secret to minimize shared metadata to a bare minimum.

Also the software is entirely open-source – app and server both – and are frequently audited on this. The server never has an opportunity to receive any plain-text data to store.

The weak spot is always just having access to your device.