Way back when FB rolled out 2FA, I weighed the additional security of that over a strong random password, versus the obvious downside of them having my phone number. Basically, it was a small chance of some weirdo hijacking an account containing nothing sensitive (FB doesn't have my credit card, either), versus a large chance of a giant ad/surveillance company using my phone number to make money. I ultimately chose not to set up 2FA, and now I think that was a good decision for exactly the reasons I predicted.

I'm also very skeptical of the "bug" explanation, given how persistently they have been asking for my phone number lately.