They also have the user's phone number and in most cases their phone's adress book.
It's not really about breaking e2e encryption but rather "reveal the identities of following users please". That could be due to all sorts of illegal activities (eg. hate speech, sale of banned substances, terrorism, child abuse, etc.)
Signal cannot in fact provide your address book to German (or any other) authorities. The whole point of Signal's design, and the reason it's less featureful than things like Telegram, is that it's designed not to collect serverside metadata about who's talking to who.
The client has access to the address book and it is hard to verify what the client does in reality. I receive updates of the client every other day and who knows what it brings with it.
I haven't tried to compare a local Android build to the published version myself, so can't directly confirm the accuracy of this document.
Either way, I agree that a released build can slip by unnoticed by most users. This is not a problem unique to Signal though.
At least with Signal you have the option to verify a build before updating. You can also build and run the entirely open source client yourself, which makes verification redundant.
What you write, is I think the main point in this case: there is no hint in the article that telegram is providing access to the communications themselves, but rather data about the account holders which might let the authorities determine their identity. The communications themselves are already in the possession of the authorities. Be it, because they were direct recipients as members of the groups the communications being sent to or provided to the officials by a recipient.
It's not really about breaking e2e encryption but rather "reveal the identities of following users please". That could be due to all sorts of illegal activities (eg. hate speech, sale of banned substances, terrorism, child abuse, etc.)