1) Get off the major cloud providers that charge insane egress fees. 2) Remove SMS verification. A simple solution might be the app gives you a code and then you dial in to them and punch in the code to them. Like a reverse voice based authentication. 3) Remove voice and video calling for non donating users. 3) Remove media texting until both users allow a p2p connection. 4) Remove no contact list message hosting for non donating users.
Lot of unpleasant trade offs there. But I would rank having a text based private messaging app as the top feature. Everything else is a "very" nice to have. I applaud what they are doing and the sacrifices that have been made so far.
So, you can't trust the address in the "From" on an SMS or the "From" of a phone call.
That means a voice call to Signal would not work to validate phone numbers.