I remember back few years ago, they had some very serious foundational mistakes in their protocol, which they handwaved away and started blaming people for pointing them out, as in "it's more important to get something working than do it properly".
Acknowledged and handwaved aren't the same thing. It will be fixed at the first opportunity (change requires breaking the protocol, and they definitely want to get more done in one go when they do that).
And it's remarkable that the only issue cryptoanalysts found is this one which requires your private key to be stolen in order to fake messages from your friends to you.
Not sure if they got better since then.
edit: yeah this issue
https://github.com/TokTok/c-toxcore/issues/426
and the discussion here (2017)
https://news.ycombinator.com/item?id=13392128