The way laws usually work is (gross oversimplification):-
Different state, same country - they have to follow this rule when dealing with customers from California.
Different country - they can break the law, but then California / US can sanction them (i.e. no US-based company can directly do business with them)
There are workarounds to both but 99% of companies will just comply, at least on paper.
It isn’t perfect, but I think there is a difference between a company that currently gives user data to advertisers and authoritarian governments, and one that hasn’t done any of that so far. There sure is a ‘trust me bro’ element, but they have had to relocate from Russia to Dubai because they refused to hand over opposition politicians’ chats. That’s a pretty big commitment to privacy.
Somewhere between WhatsApp and Signal. It has FOSS clients, hands over user data only under extraordinary circumstances (terrorism and child abuse, afaik), and runs on pretty much any hardware. The last two points make it very popular in eastern Europe and most of Asia. The main problem with Telegram is that normal chats are not end to end encrypted, and instead use a weaker encryption algorithm. Secure chats are e2e encrypted, but are not on by default.
Overall, it is used by opposition parties in countries like Russia, Belarus and Iran for day to day stuff, so it is fairly secure. Of course, if you are a reporter or activist who has a lot of enemies, you could get something even more secure.
Inb4 cars are required to jam phone signal when in use.