Do you know what the status of their federation is? It looks like their instances narwhal.city and dev.narwhal.city are federating, but I dont see any info if that is already stable, and compliant wit the ActivityPub standard. In our case, we are working on becoming standard compliant, and will probably finish that within a month or so (see issue #1220](github.com/LemmyNet/lemmy/issues/1220).
On another note, I saw a bunch of posts on their site from dev.goldandblack.xyz which seems to be an anarcho-capitalist instance. I’m not sure if that is linked to the lotide developers or not, but its very contrary to the Lemmy userbase which seems mostly anti-capitalist.
The problem is that you as average user have no way to confirm that the app on your phone is actually compiled from the published source code. In that regard it would help if Signal was distributed through F-Droid, which compiles directly from source, but the Signal developers have explicitly forbidden that.
No, they only have transport encryption with TLS. This is why we recommend Matrix instead. I think Mastodon is working on E2E encryption for ActivityPub, but it seems extremely complicated.