To put this in plain English, could we say Facebook asked for phone numbers in the name of "security" but there was no restriction on how Facebook could use those phone numbers. Usage was not restricted to the purpose for which Facebook collected the numbers. Facebook could use them for reasons other than "security".
When I got my first Yubikey the first thing I did was start securing all of my accounts with 2FA. Facebook was one of the few accounts I had at the time that supported U2F, which is what I wanted to try the most. Foolishly, I saw no harm in giving up my phone number for the purposes of enabling it, but only two weeks later I was receiving daily updates from my Facebook feed that I never asked for. Oddly, the text messages stopped on their own but not before they continued a month later, with Facebook asking me why I haven't been logging in and to tell me what I've been "missing." Again, this stopped a few days afterwards.
Then, about three months ago I had a privacy scare, courtesy of Facebook. I was exchanging contact information with a friend several states away whom I had just recently met, and the moment she added my phone number to her contacts list, her Pixel phone had automatically associated my phone number with as much information about me from Facebook without my knowledge, apparently by performing a lookup that can also be done using someone's email address. This exact thing was brought to more public attention with an article that was posted here to HN a week after this happened to me, but I can't seem to find it.
Thankfully, the person that I had this scare with is someone I can trust, but the plausibility that anyone could do this again with just a phone number or email address was enough for me to finally delete my Facebook account since I could not find a way to dissociate my number now that I had given it to them. I figure that even though my information is still stored somewhere on their systems, deleting my account is as much as I can do to try and mitigate/prevent further damage.
