The best way to protect your private keys today is to have a client which:

1. Has code in open source
2. Has this code audited (regularly or audited once but you use fixed version without updates)
3. Deliver this code on your own to your device or use someones code deployed to a store (like damus) BUT then it MUST support reproducible builds (very difficult especially for iOS), details: https://core.telegram.org/reproducible-builds

Otherwise you can only trust developers, their best and honest motives and their advanced security measures

P.S. even in this case you actually trust (at minimum) Intel/AMD/Apple to not use their backdoors in hardware against you