Generally speaking, each app gets it’s build code and flatpak settings (what can it access) vetted when it’s first included in the repository.
After that it’s up to the developer to keep it tight, with oversight from the community. For example, you can check GitHub - flathub/org.signal.Signal to read the configuration for signal. That’s on top of the code that the signal app itself uses. Ideally, those sources would live with the original app, at some point in the future.
https://github.com/flathub/org.signal.Signal/blob/master/flathub.json is configuration to only build the app for x64 cpus and automatically merge security fixes from dependencies.
https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.metainfo.xml is just data for showing the app in the software centers - nothing that’s relevant for privacy
https://github.com/flathub/org.signal.Signal/blob/master/signal-desktop.sh is a file that gets called, when you start the app it figures out some options and uses a tool, that allows running chromium apps in a flatpak sandbox
https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.yaml is the most interesting, as it’s the build instructions.
https://github.com/flathub/org.signal.Signal/blob/69b54db509fc91c57104160e9f291c805f89c759/org.signal.Signal.yaml#L11-L44 are probably the most interesting, as that configures the sandboxing (which you won’t have with most non flatpak apps)
https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.yaml shows, that it’s just downloading the sources from the original website and even checks the sha. It’s build from the .deb, that’s also the reason, why there is only a x64 build.
https://github.com/flathub/org.signal.Signal/blob/69b54db509fc91c57104160e9f291c805f89c759/org.signal.Signal.yaml#L50-L63 basically takes that file, unzips it, moves it, sets some file permissions and changes the .desktop file to point to the flatpak
You might also want to read for more on verified apps Verified apps | Flathub Documentation
So yeah, verified apps are cool, but it does not mean, that non verified apps are bad per se. Especially high profile apps like signal (that are also used in the flathub team) should be in a good state.