It's probably a matter of pragmatism. People are gonna use instant messengers, might as well recommend the least bad one. I've seen it in corporate environments too. If you have locked-down workstations, there's usually some list of free software that isn't officially supported, but doesn't require special approvals.

It seems strange that the CIA isn't running their own fork of signal which uses their own servers to avoid leaking metadata.

Not really. The killer feature of Signal isn’t the encryption it’s auto-deletion.

Which any CIA fork would not be able to keep since it violates FOIA laws.

Yes, the scandal here is not just the questionable security. It is also clear intent to circumvent transparency laws which suggests they may be intending to hide the breaking of other laws.

Honest question, why is it legal to use auto deletion with Signal, but illegal to have a fork of Signal with auto deletion?

it is not legal, but that also doesnt matter when nobody can enforce it

Using signal with auto deletion is illegal. Creating a fork of Signal for CIA (or whichever) use and then deliberately not removing auto-deletion is really illegal. I think that's the thought process, at least.

I’ve seen others within the CIA say that the statements about signal being pre installed are false.