That’s true, though you would at least hope it would be blocked through the public-facing API (the server should only ever receive hashes, not send them back to clients).
Of course, generally, if someone wants to know who a messaging account belongs to, it’s because they have access to the phone of someone who communicated with you.
I suppose it would be plausible to use a multiple hash so that it takes a phone, say, 100ms to process one string. Then it would take a phone 32 years to go through every NANP number, so even the NSA wouldn’t be able to do it routinely.
