Telegram's crypto may be weird, as the professional cryptographers you allude to have pointed out; I don't know, not being a cryptography expert. But MTProto 2.0 has been shown to enjoy many nice security properties (including a version of forward secrecy, though one afaik not as good as that enjoyed by Signal): formal proofs available here https://github.com/miculan/telegram-mtproto2-verification/tr... and some peer reviewed papers describing the formal verification effort are linked to there as well. Considering that I think calling Telegram's crypto "a mess" is misleading.
The characteristics of MTProto are barely relevant when it is not used in the real world: group chats cannot be encrypted with it, 1:1 chats have caveats like terrible UX and the need for both parties to be online to initiate a session.
Ironically, just being able to produce a valid proof is hardly proof that an implementation has those properties, it just means they put some effort into it.
This would be a valid point if the client source code wasn't available; you can build the app from source and sideload it onto your Android phone or verify [0] that the build available for your platform matches the code you've audited for compliance to the protocol. Granted I don't know if anyone's performed such an audit, but it's at least an option.
It used to have issues, they have improved since, but I don't consider Telegram to be encrypted or private (and I'm also not a crypto expert, so the details elude me anyway) so I haven't really kept track of this.
Honestly, the issue was not about their crypto at all, but about the attitude and how they reacted. It's literally as if someone says "dude, I know a thing about crypto and you might've made a mistake there" and Pavel immediately goes into offensive defense, preaching how they have the best ACM champion PhDs and shifting the burden of proof, basically a canonical Putin/Trump-style of evading an argument.
That's what makes me wary of this guy, not his product.
Telegram's crypto may be weird, as the professional cryptographers you allude to have pointed out; I don't know, not being a cryptography expert. But MTProto 2.0 has been shown to enjoy many nice security properties (including a version of forward secrecy, though one afaik not as good as that enjoyed by Signal): formal proofs available here https://github.com/miculan/telegram-mtproto2-verification/tr... and some peer reviewed papers describing the formal verification effort are linked to there as well. Considering that I think calling Telegram's crypto "a mess" is misleading.