How is it possible, that Signal still only provides a .deb package and no .rpm, or even better AppImage or Flatpak? There is an unofficial Flatpak but is it secure?
Some projects of Signal-compatible clients and forks received a message from a Signal representrive requesting they stop distributing unofficial clients that connect to their servers.
That probably has on shilling effect on Linux distribution that may be considering building and distributing Signal in their repository.
They can't possibly provide a package for every distro.
Signal's model, ie keep tight control over development and distribution of the client, and the absence of federation, it well suited for Apple/Google's stores, but not at all for open-source and Linux' ecosystem.
But fedora/rhel, Ubuntu/debian, and arch-based distros are the most commonly used. So they can provide official packages for those, and/or as the OP said, provide an official flatpak.
And to be fair, it’s a nice-to-have to have a better sense of trust, but given the unofficial ones are open source, it’s quite likely any maliciousness would be rooted out very quickly.
Or, if you are running one of those distros you could just take the .deb and repackage it for whatever distro you're running. Expecting a project to package for every distro, and then be required to support them for every release is a lot of work. And unfortunately some people have no issues expecting from others, but baulk at the idea of doing it themselves.