The proper perspective is not to look at "exploiting Cellebrite's software" an "exploiting Signal's software" but to look at who has the lawful possession of specific devices that software is running on.
It's not a crime to exploit vulnerabilities in software developed by someone else, it's a crime to exploit vulnerabilities to do things on systems owned/run by others.
A LE officer with a proper warrant running Cellebrite extraction tools on your phone has full rights to execute exploits on your phone.
On the other hand, the phone's owner or Signal has no right to execute exploits on that officers' computer with Cellebrite tools. They can get their own computer with Cellebrite tools (as Signal did) and exploit vulnerabilities there as much as they want (as Signal did), and not tell the vendor the details (as Signal did), that's all legal, but deploying an exploit on phones with the intent that it might get executed on someone else's machine is illegal.
It's not a crime to exploit vulnerabilities in software developed by someone else, it's a crime to exploit vulnerabilities to do things on systems owned/run by others.
A LE officer with a proper warrant running Cellebrite extraction tools on your phone has full rights to execute exploits on your phone.
On the other hand, the phone's owner or Signal has no right to execute exploits on that officers' computer with Cellebrite tools. They can get their own computer with Cellebrite tools (as Signal did) and exploit vulnerabilities there as much as they want (as Signal did), and not tell the vendor the details (as Signal did), that's all legal, but deploying an exploit on phones with the intent that it might get executed on someone else's machine is illegal.