Not entirely true. On recent versions of Android, you are asked to give "install untrusted apps" permission on a per-source basis (e.g. I downloaded an apk from Chrome, now I have to allow Chrome to be a source of installable apks).
Also, it doesn't disable signature verification at all -- it just changes to what is essentially a TOFU model. You can verify this by installing, say, NewPipe from vanilla Fdroid, then adding the NewPipe repo and installing a build from there. It will fail unless you completely remove the original app (from all the profiles on the device!) and install the new one afterwards. This is due to different signatures between repos.
In any case, I agree with your wider point about Signal's rather concerning distribution strategy. I would like to see inclusion in Fdroid, or at least a custom third-party repository. Unlikely though.
Also, it doesn't disable signature verification at all -- it just changes to what is essentially a TOFU model. You can verify this by installing, say, NewPipe from vanilla Fdroid, then adding the NewPipe repo and installing a build from there. It will fail unless you completely remove the original app (from all the profiles on the device!) and install the new one afterwards. This is due to different signatures between repos.
In any case, I agree with your wider point about Signal's rather concerning distribution strategy. I would like to see inclusion in Fdroid, or at least a custom third-party repository. Unlikely though.