It’s been a while since I looked into it, and things might have changed since then, but some stuff off the top of my head:
Messages are stored on the server, not on the device
end-to-end encryption not enabled by default
uses proprietary encryption, making security audits difficult
Apart from that it’s somewhat politically questionable, based in Dubai (I think), with dubious financial backing and Russian developers. Because it’s closed source and the encryption is proprietary, there’s no way of knowing how much info it leaks.