Very similar heuristic here, insofar as when to use passphrases and how long.
LUKS and Bitlocker volumes get 8 words, computer logins usually get 4 words (potentially more depending on frequency/criticality of system).
Smartcards and mobile devices do have numeric pins due to frequency of use and relative difficulty in copying those for offline attacks.
Websites that are filled in w/ password manager get passwords get the random symbol-laden strings that ‘meet requirements’
If that is the threat model then Signal is not and never was fit for purpose at all.
Because every time I’ve complained about not wanting to give my phone number to sign up for Signal I’ve been lectured about how Signal is “all about privacy, not anonymity and those are not the same thing” and how that is good for the average Joe even if it isn’t useful for journalists and activists, and what you’re saying goes completely against that by suggesting that the police are somehow unable to get the phone number out of the thing that uses the phone number as the user id.
You’re describing how a real privacy-focused app like Briar functions, but definitely not how Signal does.
Solid Explorer