Firebase answered me with this reCAPTCHA SMS toll fraud protection which is only in preview right now https://cloud.google.com/identity-platform/docs/recaptcha-tfp for Firebase Auth and Google Cloud Identity Platform that will allow you to manage your own risk tolerance. Generally speaking, no carriers are expected to be blocked for projects using reCAPTCHA SMS toll fraud protection, so "error:39" messages should no longer occur.

I'm curious if anyone started implementing this.