Even if we forgive them for keeping/using phone numbers, all of the other data collection is entirely unnecessary and it's also exactly the kind of data the feds have been asking them to hand over.
IIRC it works something like this: You can use a password of whatever complexity you like. Signal adds a PIN to enhance the password's complexity, just in case a user might choose an insecure one.
They did change it to accept longer passwords while still calling it a PIN which most people associate with a 4 digit number and allowing short PINs. While it's good to increase the complexity on their end, the justification for all of this is so that users can restore their settings on a new device. That means that in the worst case the data is more secure on the server, but someone acting as if they are restoring their settings will only have to enter the weak password to get the data.
The only thing signal know is that this phone number uses signal … that’s not a lot.