There is a post on here where I went through that but I can't search my own posts on Amethyst.
Secure messengers depend on the device, if your device is not secure, your messages aren't either. Getting control of the device is getting control of the messaging app too. And doing the former is far easier and stealthier.
Messaging apps like Signal getting in on this requires a convoluted plan of the state and the developers to collude. Intelligence ops require the least people to know about it, and preferably no one in the general public. Changing the functionality of the app and server infrastructure to push it to everyone is too loud and risky for a state to perform. Hitting a target with a zero-click exploit to get access to the device and all the data is far easier and is stealthy. Nation states are certain to have exploitation capabilities for tons of computing platforms and apps, but it wouldn't be collusion since not even these software developers would even know they have it, they are state secrets.
Tucker (if he is actually telling the truth and isn't grifting) is a high profile person. He has a gigantic professional network and likely so would this Russian client he communicates with. It would be more realistic that intelligence targeting the Russian client or one of his network got out and revealed his plans. High profile individuals also get hit with spyware campaigns a la Pegasus all the time too. Any one of them can be a target.
Tucker isn't a digital security expert, he is a presenter. He isn't expected to understand what or what did not happen to him. It is possible it's not even a digital factor, someone in his social circle could have told off too.
We do have criticisms of Signal and we recommend hardened variations like Molly instead to our users. Signal is mentioned here because Telegram attacked them repeatedly despite performing far worse in security and privacy. We also trust them not to collude. The Signal app itself could have vulnerabilities exploited remotely just like any other messaging app, particularly in the media handling libraries or WebRTC. That's not a breach of Signal's encryption or a collusion. A secure hardware and operating system can significantly help to defend apps from remote exploits of vulnerabilities.