Signal has an option to prevent this by locking the number with your PIN. This capability introduces plausible deniability that a phone number assigned to a SIM is actually associated with the number of a Signal account. Don't know if that matters legally or not.
Also the people doing shady things are generally hopping accounts regularly anyway.
PIN only stops registration for a fixed amount of time, believe 7-days, then the entity controlling the number would be able to reclaim the account. If the “attacker” maintained control, new devices that add the number from their contact list would get no alert; that is, the users would have to figure out the number is controlled by someone else.
That’s 7 days since last use. So if you continue to use the app at least once every 7 days, it will remain registration locked.
Also, anyone who had communicated with you before the switch would see a “safety number changed” notification if the number became affiliated with a new device.
Curious, where’s the “last use” in the documentation or code? Ask because I have seen other issues with the PIN vs docs and haven’t gotten to testing the recovery mode.
EDIT: Found the related docs, appears they had been edited since I lasted looked at them; for example, you can now disable PIN reminders:
And yes, “anyone who had communicated with you before the switch would see a ‘safety number changed’ notification if the number became affiliated with a new device” is correct, though so is my statement about new numbers adding the number. To be honest, I have caused the alerts to happen before, the other user had no idea what they meant, didn’t say anything, just clicked okay.
Also the people doing shady things are generally hopping accounts regularly anyway.