I mean, companies like Twitter have already been bitten (and fined!) for using phone numbers collected for 2FA purposes for advertising and monitoring purposes, which is more or less exactly your concern: https://arstechnica.com/tech-policy/2022/05/twitter-pays-150...