I’m not sure if it is entirely accurate to compare them in this way, as “Matrix” refers to simply the protocol, whereas “Signal” could refer to the applications, server, and protocol. That being said, is there any fundamental difference in how the Matrix ecosystem of federated servers, and independently developed applications compares to that of Signal that would make it less secure, overall, to use?
The most obvious security vulnerability that I can think of is that the person you are communicating with (or, conceivably, oneself, as well) is using an insecure/compromised application that may be leaking information. I would assume that the underlying encryption of the data is rather trustworthy, and the added censorship resistance of federating the servers is a big plus. However, I do wonder if there are any issues with extra metadata generation, or usage tracking that could be seen as an opsec vulnerability for an individual. Signal, somewhat famously, when subpoenaed to hand over data, can only hand over the date that the account was created, and the last time it was used. What would happen if the authorities go after a Matrix user? What information about that user would they be able to gather?
There are several different questions here that run the gamut of security related questions, not just privacy.
If you want a lay persons answer, the gist of it is both are secure enough for the vast majority of situations. If you don’t have nation states after you, use what is most convenient for your primary use case.
If you are worried about nation states… You need to do your own technical analysis, and if you are incapable of doing so… You should not be trusting random idiots on the web.
That said… The biggest difference is that signal is more secure by default, forcing end to end encryption on all communications but you have to trust a closed source private organization. Arguable the signal protocol is probably provably more secure with perfect forward secrecy (the double ratchet algorithm is legit).
Matrix has a significantly larger public surface area for non nation state level actors to observe and Messaging is arguably slower… But you have much more freedom with how much trust you give entities. Unfortunately, more of the security is up to you and your contacts which makes it less secure. (We on average are terrible at security). Matrix is probably also more resilient as a network.
Finally, Signal does not provide any anonymity whatsoever. I’m fact, it directly ties your messaging to other highly personal information. (But nobody other than you and the other participants can read any of the messages). Provide you know your contacts in real life, you can prove message authorship (you know for a fact that the message was written on their device and nobody other than the intended recipients read it).
Matrix does provide anonymous access. If this is something you need… This is the answer.