Why is it OK to allow enumeration of accounts with a given phone number, when it is generally considered to be a privacy and security violation to allow someone to enter email addresses and confirm if they have an account with a service or app?
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
It's for contact discovery. It's actually pretty similar for email? If you enter an email address in your mail client and send an email to it, in most configurations you'll get some kind of notification if the recipient doesn't exist.
Email, of course, has an unlimited number of possible addresses. Phone numbers are a dense space with limited parameter length. So it is easier to enumerate all phone numbers.
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.