I'm not saying that there aren't other motives, but there are legitimate security concerns.
Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.
Source - am a fairly experienced security engineer.
It’s a nonsense argument to say Google can’t handle credential stuffing without SMS 2FA in place, as in not pushing all 2FA via Google Authenticator and using the very wide reach and talented security team for baseline cred stuffing. Sec tools for this, even without being Google and their very talented sec team, are pretty good.
Wanting a hard phone number is a pure identification play and also about the more likely pragmatic concern (than cred stuffing) of using Google for burner accounts.
How do you handle credential stuffing? Attackers will use a huge number of regular residential IPs or VPNs that you would expect to see logins from. How do you tell a credential stuff from a regular login? They are both coming from unknown IPs with normal login rates and they have valid credentials.
Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.