There is always some trust with private communication apps. No way one can get a completely trustless system. Signal tries to build trust by being open source and by publishing the same documents it sends in subpoenas[0] (i.e. transparency in how they respond to government requests). The lack of understanding how the information was obtained is worthy of increased suspicion albeit not abandonment. There is added suspicion in that I cannot find an official response by the Threema team. We do not know if the encryption was broken or if there was access (physical or remote) to the phone. Do note that Threema is open sourced[1]. But there can still be concern if access to the phone was gained through other means and then access to the app was gained. There's a brush off of "if physical access is gained, not our problem" but that's not nearly enough (it still shouldn't be trivial). Assuming user error first is not a good methodology in response to these types of attacks (which there is some brushing off in this manner in Threema's response to this thread's link). People are still probing a black box at the end of the day.
You can’t verify the binaries it’s actually running and the protocol shouldn’t rely on a trustworthy server anyway.
IMO the biggest problem with any of these E2EE apps is using them with iOS users. Apple makes it impossible to extract and inspect the packages without jailbreaking, so most projects don’t bother with reproducible iOS builds.
I don't think it is, which is disappointing. But even with Signal's open sourced server I think we still need to trust that they are running said server. Unless you know a way to verify it.
[0] https://signal.org/bigbrother/
[1] https://threema.ch/en/open-source