The client has access to the address book and it is hard to verify what the client does in reality. I receive updates of the client every other day and who knows what it brings with it.
I haven't tried to compare a local Android build to the published version myself, so can't directly confirm the accuracy of this document.
Either way, I agree that a released build can slip by unnoticed by most users. This is not a problem unique to Signal though.
At least with Signal you have the option to verify a build before updating. You can also build and run the entirely open source client yourself, which makes verification redundant.
