The most likely explanation would be that he simply didn't delete his messages, or have auto-delete enabled; or, perhaps, he had the auto-delete window for these particular contacts set too long.

Most definitely this. Bad messenger OPSEC is a real problem, still. Just recently Paul Manafort backed up his encrypted WhatsApp messages to iCloud, for example.

Many users of these apps don't realize that they are opening themselves up to security issues by performing certain behaviors. Are there any guides to good messenger OPSEC available for the general public (or even at-risk people like journalists or politicians?)

While it may be true that Manafort incidentally backed up WhatsApp or Signal messages to iCloud, the FBI supporting statement in the motion to revoke parole indicates that the messages cited were preserved by the receiving party and voluntarily turned over to the FBI.

This is the one I see circulating the most. Links to Signal setup are in the body and include auto-deleting messages.

https://techsolidarity.org/resources/basic_security.htm

These guides come to mind:

* https://ssd.eff.org/en/module/how-use-signal-ios

* https://yawnbox.com/static/iPhone-opsec-guide.html

* https://blog.filippo.io/securing-a-travel-iphone/