The main issue is other apps running at the same user level as signal being able to access it, again because desktop OSs don’t really sandbox things. On the server (Linux) we generally do this using service accounts, but no one is using separate service accounts for most software installed on a Linux desktop.