I just started my de-googling journey recently, and so the mechanics of notifications were still unclear to me, and I found this video super helpful.
It explains how most mobile messaging apps (including privacy-focused ones like Signal) rely on Google and Apple’s centralized servers to deliver push notifications, which exposes vast amounts of user metadata.
Here’s the YT link, for people who prefer it: https://youtu.be/c3ennD3wKn0
From what I recall, Google would be able to see our device received a notification and when but not the actual message nor sender/recipient identity.
I think that’s fine for my threat model.
Molly seems like a potential alternative though since its a signal fork and supports UnifiedPush so you can choose a different notification supplier like ntfy or sunup
They see cintents if the contents is displayed in the notification
That is correct.
However, this is a quasi-monopoly by google having quietly overwhelmed the space. Same thing for RCS messaging.
Neither push notifications nor RCS are proprietary, so there is a possibility to tear oneself from google here.
For instance, there are several free and paid push notifications services. Pushbullet is a popular paid one, not too expensive. I personally use https://ntfy.sh/, which can be self-hosted.
RCS is different because trusting the encryption keys makes RCS work, so there would have to be a critical mass of buy-in to use an alternative to google’s RCS implementation.