Signal for Android has reproducible builds, so you can verify that the version on the Play Store matches the code you audited.

How does that help you verify what is running on the server?

The whole point of e2e is that you don't have to trust the server (for content; you do have to trust that they aren't saving metadata).

They can use trusted computing or HSM tech for that. They have the money but probably won't spend it.

None of that addresses the point. Without third party, independent verification of their servers and the code that is running open source provides limited (if any) improvements to privacy and security.

That's part of the point rather than separate. A closed system without any way to prove it's running something often can't to get 3rd party verification or user trust that's consistently believable. An open-source, tamper-resistant system can. Quite a bit of difference. Once verifications come in, the effects of reputation then allow users with less technical knowledge to learn what's trustworthy or not.

But they don't, so why do they get points for having an open source server?

For a full solution, it would be a start to what they needed. The main benefit of an open-source server is that people can audit it for vulnerabilities. As in, they get free to cheap labor to reduce their liabilities. People might also submit extensions they find useful. The usual benefits of FOSS for suppliers.