Signal has sworn by GCM the entire time they've been running on Android, it took a lot of whining from the community to get them to allow anything else.
The reason to do this is security principle: Don't Stand Out.
If Bob uses Bob's personal notification system for Signal, a passive observer can see that Bob was notified by James. If everybody uses Huge Corp notifications the passive observer can only tell that James was notifying somebody about something and that Bob was notified about something.
> Signal uses E2E encryption, so your attack vector doesn't work.
End-to-end encryption is just that. That Firebase library is running on the client phone (aka, an end), if Google put code into the library allowing it to download updates it would also be running in Signal's context which would allow it to trivially dump and exfiltrate messages, memory, etc from the Signal process.
Now, we have no reason to believe such a mechanism is used here to my knowledge, but if they really wanted to, it would defeat end-to-end encryption.
In that case, Signal can run the integration in another process. It's extra work, but it also gets around the GPL issue for the main application, so if Google doesn't solve that itself, it's easy for someone else to and share the solution with everybody.
It would also be easy to spot if Google put an updater inside the library because the requested permissions for using the library would change.
If this is your angle, then they wouldn't need you to load any library for them to be able to do this attack. They have root, so they could do the attack regardless of firebase being open source.
If Signal has to implement it, I assume the FBI will ask Google for the ability to insert itself in the proprietary code in some updates from day 2.