Let's assume that Signal is fully encrypted and there's no feasible way to read the messages.
The problem is that the phone is likely used for other things too, and you don't want [insert important app here] to leak information that could've been protected with a VPN. Also things like dns logs and the IP connection will still be revealed without a VPN so an attacker will be able to know that you're using Signal, when you're using it, potentially with DPI they might get to know when you send/receive a message. Collect this information across a wide enough network and compare the times, you may be able to tell who is messaging who and when.
With a VPN there's no risk of other apps leaking data, it hides your dns queries, and the end connection. This means it will be difficult you're using Signal specifically at all, and should make DPI at least more difficult.
> But they probably don't fully trust their vpn
The VPN isn't necessarily be in charge of keeping the messages themselves secure, but for preventing other data leaks. The messaging application is responsible for that part, and they had to use something like Signal, because (theoretically) signal cannot read their messages. Slack/MS Teams/Facebook messanger/etc still have access to your messages regardless of any VPN.
The problem is that the phone is likely used for other things too, and you don't want [insert important app here] to leak information that could've been protected with a VPN. Also things like dns logs and the IP connection will still be revealed without a VPN so an attacker will be able to know that you're using Signal, when you're using it, potentially with DPI they might get to know when you send/receive a message. Collect this information across a wide enough network and compare the times, you may be able to tell who is messaging who and when.
With a VPN there's no risk of other apps leaking data, it hides your dns queries, and the end connection. This means it will be difficult you're using Signal specifically at all, and should make DPI at least more difficult.
> But they probably don't fully trust their vpn
The VPN isn't necessarily be in charge of keeping the messages themselves secure, but for preventing other data leaks. The messaging application is responsible for that part, and they had to use something like Signal, because (theoretically) signal cannot read their messages. Slack/MS Teams/Facebook messanger/etc still have access to your messages regardless of any VPN.