Recall is encrypted with a key in the TPM. But getting access to that encrypted sqlite db is a yawn.
Getting the key is harder, but possible. You can breach into Microsoft's group with a particular set of GPOs - if you can run a particular set of server commands on the local network.
Signal data is encrypted at rest. The key is stored in the OS store - usually meaning the TPM.
However, the key isn't in Microsoft's main grouping. To date, no one has extracted the Signal key this way. Other exploits are required.
Signal being smaller than the whole of Microsoft, reduces the attack surface.
If Signal uses the Windows Data Protection API for saving/encrypting the key (and some data online suggests that it does), then it’s trivial to fetch it back with the same APIs if you’re running as the same user. (I use `keyring` on Windows to access the key(s) VMware Workstation uses to encrypt Windows 11 VM vTPMs)
It’s kept secure by a chain of keys that may be backed by the TPM, but the security boundary is the user, not the app identity. IIRC Store/UWP apps may get their own boundary for credentials (due to how .appx is implemented).
Getting the key is harder, but possible. You can breach into Microsoft's group with a particular set of GPOs - if you can run a particular set of server commands on the local network.
Signal data is encrypted at rest. The key is stored in the OS store - usually meaning the TPM.
However, the key isn't in Microsoft's main grouping. To date, no one has extracted the Signal key this way. Other exploits are required.
Signal being smaller than the whole of Microsoft, reduces the attack surface.